formbook | a8cadacdc044a5e4138f19f5726562160244e2ced4c78b44d8b5991d12bb8b2a | Triage

Sharing

General

Target

a8cadacdc044a5e4138f19f5726562160244e2ced4c78b44d8b5991d12bb8b2a
Size

231KB
Sample

241121-yx578swpbx
MD5

5d8e15d12d4523dc517d31d76f52d2a4
SHA1

ebdaa62dcd3fc3511c14f26e555d502d757ff853
SHA256

a8cadacdc044a5e4138f19f5726562160244e2ced4c78b44d8b5991d12bb8b2a
SHA512

0024c313b49d5502219b852ca7f45c99095b35935cbdddf5dffc4f648f26291a293cb7cb99a44c7583fcc446fc95f79fae3f2c98abc46c725b561b470523ce68
SSDEEP

6144:Pa5BPlV7QX7GEp9Sge0p7+urCCFd5FYao9AbqpYEL:PaLPlV7QrhCge0Tl5FVoabqpYEL

Score

10^/10

formbook henz discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Targets

- Target
  
  9afee5e6dd1d97f008641020ac405b40512c4c8f3ac1a9ee278eb75d18556bd8
- Size
  
  242KB
- MD5
  
  4a1c5227914a9c9282c5dcd651a0ccbe
- SHA1
  
  f4e41cd45bd8786b22dcae6c78c94ec9f2a810a0
- SHA256
  
  9afee5e6dd1d97f008641020ac405b40512c4c8f3ac1a9ee278eb75d18556bd8
- SHA512
  
  9919d1ce07cefaab0b09b9266f01b4983cc2b7d0e8940f9eac0c6e27c471da0e619238fd15c79925471c9658930e59b118a693809b3c8121918eda39fa1af115
- SSDEEP
  
  6144:LkwMj35iWQXLGEp9Wge0p7+ubCCFd5VYaoVAbqpYEe:i34WQbhmge0Tl5VVoibqpYEe
Score

10^/10

formbook henz discovery rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  anvnzaoum.exe
- Size
  
  49KB
- MD5
  
  ad7b04bf79722139410e67334277fb3b
- SHA1
  
  df89d32ebf661b167032342db2a99d9d71279cf0
- SHA256
  
  75f11c547a4b59ce61b7b920bffabe67c0b0fc763b9e85e3db385c8c7207c2bb
- SHA512
  
  457e541e5d474441038af606b408af5a70f6bae6f87bbe4ab5d8b5ab753793c72c5ae742647d3c27b17070057319ec435fabe1218acbe49be315def29685610f
- SSDEEP
  
  1536:cjjouox7Qn6FqDL4CMY+GsWNMr/5PP+5w:0jos6CL4C2WA4
Score

3^/10

discovery
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookhenzdiscoveryratspywarestealertrojan

behavioral2

behavioral3

behavioral4