formbook | 4b4faaccc4842d408c3caad47e364f69dad51765ab242e4dc8c97de0cd190ddc | Triage

Sharing

General

Target

Official Purchase Order 121322.exe
Size

1019KB
Sample

221219-kkaznsef29
MD5

9e40b98924b94ea375faf0bccf2609ee
SHA1

bbb2330799adfffd534505aac9ac112e16f7fc8e
SHA256

4b4faaccc4842d408c3caad47e364f69dad51765ab242e4dc8c97de0cd190ddc
SHA512

c2a3f6653962664b1d830edee1c84ac9a62e1d908b647c6f88f1b21837c3316177c445ea2af17c0326e79d9bf3b5d4b266fbbb3a87b2eb12ffa1cc972a23b9db
SSDEEP

24576:wGTgVIYba1JXh+Q/Fkq1SW0vQ2lBS4G3r5/oOi3bJhxVsWy:wGT6Iz3RJtkqh0vQ2

Score

10^/10

formbook snky rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

snky

Decoy

AiMFvkl6+A4HEgZ99q5x4naN7lGmvJo=

tvj/KUTKeKgxszIemQ==

DTrTokBrjB5leF4=

tPeTOuIjJPtH

taxtMdIygEdpskxzOQ2ZjoAEeA==

CxLuaKAFRrJyuIqQUPbhZw==

Tn4fapT5kPmk1H0gpXQ=

h5p8hDqGSiRzdSbV

i3lg8tbRNRU6jC9pQSOxzHYZgpbnOKBx

EwbfBo6m+UXU2qaVUPbhZw==

WpeenFSMquJ3xXD1/b43

niV5qTFu3tfmcgrI

fqyyyElbdxWswJ7A

Lh7o92ZOr4ghbwvK

Y2RYMDue4x+KszIemQ==

lN3Y3z5AS85eah1MDvfFQQA=

uq+Oqh8MNRxHOOkqA9lqYEZZhJU=

FEtGDeGnnRoSQEM=

TkMlruotvsmtpFwg6shr03LjwMWGow==

7PGx8hNMep8EMj5Q39dsq16IbbaIrA==

Targets

- Target
  
  Official Purchase Order 121322.exe
- Size
  
  1019KB
- MD5
  
  9e40b98924b94ea375faf0bccf2609ee
- SHA1
  
  bbb2330799adfffd534505aac9ac112e16f7fc8e
- SHA256
  
  4b4faaccc4842d408c3caad47e364f69dad51765ab242e4dc8c97de0cd190ddc
- SHA512
  
  c2a3f6653962664b1d830edee1c84ac9a62e1d908b647c6f88f1b21837c3316177c445ea2af17c0326e79d9bf3b5d4b266fbbb3a87b2eb12ffa1cc972a23b9db
- SSDEEP
  
  24576:wGTgVIYba1JXh+Q/Fkq1SW0vQ2lBS4G3r5/oOi3bJhxVsWy:wGT6Iz3RJtkqh0vQ2
Score

10^/10

formbook snky rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooksnkyratspywarestealertrojan

behavioral2

formbooksnkyratspywarestealertrojan