formbook

General

Target

d73252ca8ff73716e936b3d5b35a1ff9eb9b1557d62c38b7b0d84962879aee40
Size

333KB
Sample

230313-m4j3ssaa76
MD5

4a246195bb27825fd930f2e3ac3da414
SHA1

669a3821e941bd9c100a7e104c6eb464d69f05ad
SHA256

d73252ca8ff73716e936b3d5b35a1ff9eb9b1557d62c38b7b0d84962879aee40
SHA512

f0efbcee210d3c5fc9d4ae5be43fa15fa842f447a5f8b842293fbf91e9324e2a0d6ff3e61e02d802501d1e0a40a14abe7339d1897ccb44e60f2c42c3b10704ec
SSDEEP

6144:uYa6G9boybyHR6afmNETTPY8PzGc732UqCjmyWRf0+vsDT9NSCbZjKa:uYo9IHR7rY8LSUqh9Rs+vAIaL

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

top.noforabusers1.xyz:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-5DQBA4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Targets

- Target
  
  d73252ca8ff73716e936b3d5b35a1ff9eb9b1557d62c38b7b0d84962879aee40
- Size
  
  333KB
- MD5
  
  4a246195bb27825fd930f2e3ac3da414
- SHA1
  
  669a3821e941bd9c100a7e104c6eb464d69f05ad
- SHA256
  
  d73252ca8ff73716e936b3d5b35a1ff9eb9b1557d62c38b7b0d84962879aee40
- SHA512
  
  f0efbcee210d3c5fc9d4ae5be43fa15fa842f447a5f8b842293fbf91e9324e2a0d6ff3e61e02d802501d1e0a40a14abe7339d1897ccb44e60f2c42c3b10704ec
- SSDEEP
  
  6144:uYa6G9boybyHR6afmNETTPY8PzGc732UqCjmyWRf0+vsDT9NSCbZjKa:uYo9IHR7rY8LSUqh9Rs+vAIaL
Score

10^/10

formbook remcos remotehost dcn0 collection persistence rat spyware stealer trojan upx
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1