formbook | 51a34678b8a4c241c41ce4f326e9fb6f01607b1bb4a302b64a6e4811d789eb02 | Triage

Sharing

General

Target

51a34678b8a4c241c41ce4f326e9fb6f01607b1bb4a302b64a6e4811d789eb02
Size

1017KB
Sample

240308-rbx66sgg66
MD5

4222ed5bb25451fef7d58549badafdda
SHA1

9c22cf9967db38863975964315757b61c8f4b883
SHA256

51a34678b8a4c241c41ce4f326e9fb6f01607b1bb4a302b64a6e4811d789eb02
SHA512

2c350316c8062e0a23716e904cf237a5e42ff1ae2e083addda37b7f34dc404e47d8b039b9f4a0f8cdb2dd95c31f28f9b4979337a69cb5c88cd0235d5e29a981c
SSDEEP

12288:Y6wnpkQlkkaFIpiiXnXTVCRIaDQ2UtaQwXydUjSZv8PogcM+SwgT6AQSQy4A:Hgbg0nXoR429XTe4mNAtQy4A

Score

10^/10

formbook zgrat pp0t rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

pp0t

Decoy

c9tSf4QHOwJjLbRfkwuwURujn/iH

pq54GqPOHu8U

WeXPb9LyJlOEMnTHjmv+O95VTnX7KA==

U18lwwKHPkJlZ3+u/e3h/zvV

ADj7RlmLOuc5QNhAHo4lWQ==

ifzvnDteMx0b

PmEpuAehVVp1QZV1JIY=

Ab+SQKRM4d7ZidIlwu2y6jTS

iAjigMrD+xQL9IoeDlPm+sY=

XisFVVjH25z9z6jrg3f8OMMHxHxf9Tw=

BeXeBZq31ouzxg==

ysN9oYfOHu8U

ml8KIinPAMgRuTe7fY4=

voMdjO13pzDNk1Q=

/PrtkRtASgyodEc=

Z3UEHTRRgXWhra71DkSvoZrd

qXE75D5v82lO/2hF4vSZ15hMD3dg3Bl4Kw==

x8m0Yaa4x7stHrsS5o7BWw==

0thWfXqJu6Rn/9AZRQ==

/ndSqtQFQYq+qicJodEHK90=

Targets

- Target
  
  51a34678b8a4c241c41ce4f326e9fb6f01607b1bb4a302b64a6e4811d789eb02
- Size
  
  1017KB
- MD5
  
  4222ed5bb25451fef7d58549badafdda
- SHA1
  
  9c22cf9967db38863975964315757b61c8f4b883
- SHA256
  
  51a34678b8a4c241c41ce4f326e9fb6f01607b1bb4a302b64a6e4811d789eb02
- SHA512
  
  2c350316c8062e0a23716e904cf237a5e42ff1ae2e083addda37b7f34dc404e47d8b039b9f4a0f8cdb2dd95c31f28f9b4979337a69cb5c88cd0235d5e29a981c
- SSDEEP
  
  12288:Y6wnpkQlkkaFIpiiXnXTVCRIaDQ2UtaQwXydUjSZv8PogcM+SwgT6AQSQy4A:Hgbg0nXoR429XTe4mNAtQy4A
Score

10^/10

formbook zgrat pp0t rat spyware stealer trojan
- Detect ZGRat V1
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookzgratpp0tratspywarestealertrojan

behavioral2

formbookzgratpp0tratspywarestealertrojan