formbook

General

Target

SOA 5139076.exe
Size

243KB
Sample

221221-neay9sfd3t
MD5

928da2b69ca84f54fb68b4a0cdd6208a
SHA1

2ddde07449e586d651a175d2c2d31da540d7a10e
SHA256

ab72cb8573b9eac92ecf32c889a727552d386a5d31cb5daa249d430258e1e855
SHA512

c65af359fdc5bc4024848b6195ef22c518cb7f27e7a15f412989cdfb94a7d936019aab56133912953a42dbd2f03fe5171d2f36fe7953e5969999ae5b8a932855
SSDEEP

6144:rkwk9tOOQC41sjT5Oilk44pMeK/afoURzE9ThHGrniXH:kGwNOiNnmMdmu3

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Targets

- Target
  
  SOA 5139076.exe
- Size
  
  243KB
- MD5
  
  928da2b69ca84f54fb68b4a0cdd6208a
- SHA1
  
  2ddde07449e586d651a175d2c2d31da540d7a10e
- SHA256
  
  ab72cb8573b9eac92ecf32c889a727552d386a5d31cb5daa249d430258e1e855
- SHA512
  
  c65af359fdc5bc4024848b6195ef22c518cb7f27e7a15f412989cdfb94a7d936019aab56133912953a42dbd2f03fe5171d2f36fe7953e5969999ae5b8a932855
- SSDEEP
  
  6144:rkwk9tOOQC41sjT5Oilk44pMeK/afoURzE9ThHGrniXH:kGwNOiNnmMdmu3
Score

10^/10

formbook yurm persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2