formbook | 45da0328945f01d1928068c9648bc57554b0756226365662e3100cf7b19c7840 | Triage

Sharing

General

Target

7015892.zip
Size

233KB
Sample

221221-s3l4nace88
MD5

498a878b5bb02f0d14637ca60bc7f71a
SHA1

186f9741dd4f8ec5d2326d0e12edeb05f633453b
SHA256

45da0328945f01d1928068c9648bc57554b0756226365662e3100cf7b19c7840
SHA512

483b9e78b0d8027764ded790e6f7cda43329c67d1bc2c67ebb6c4b79a5ef86d0956d3a0cbf755838e5075634d514cea600435b130d610bcfde02317015353d13
SSDEEP

6144:Uj+Vn3JN9SO9UgxZVHl4NON8/k1ycJxLqvROu2sfX:USVn3JN9P+Ml4k8UysB1sfX

Score

10^/10

formbook yurm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Targets

- Target
  
  7015892.exe
- Size
  
  252KB
- MD5
  
  19990004ebbc8bf180d02aeda8246db9
- SHA1
  
  52ec8c08e69bc87e65388341a633670da979de48
- SHA256
  
  8f2f6e6735e483a6d8c6aac9817f9bf908e7e63f60a552bb64f8ca77d6c38d0e
- SHA512
  
  e1ef258c3b4f6335100c18ab5143785fa6c74575370db64f31eb4e5751bb160f01763f111bf85f4b61b955c8446a3d9a21237cc7a32b9ff17d58df3329f82f06
- SSDEEP
  
  6144:7kw+Uw9SO9UWxHVHl4NON8lk1ycJxRqvROk2sf5:kH9P+Wl4k86ykBnsf5
Score

10^/10

formbook yurm persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookyurmpersistenceratspywarestealertrojan

behavioral2

formbookyurmpersistenceratspywarestealertrojan