formbook | a925156696d4acad19f9063afbd082d0fccbcca820e262a91e730077705ab2a5 | Triage

Sharing

General

Target

5c1bbc3ef13f11786c71d2b038ffac9d_JaffaCakes118
Size

857KB
Sample

240519-3r8hmahd69
MD5

5c1bbc3ef13f11786c71d2b038ffac9d
SHA1

782901838bef058386683429bde3f10926f226da
SHA256

a925156696d4acad19f9063afbd082d0fccbcca820e262a91e730077705ab2a5
SHA512

e93cf0d6a4ec73b75e28189331fd6b8cc5b5d65706725ff35418727429e50e9f292286e136edc289afd31e585d5f6b436a125a9276dc0659b8987dd9ab6b7ce4
SSDEEP

12288:XkESTi3VrUwuW1ScWxRL7QZwupHHRi//ASc9VTiukEH:XkESTi3tUrWpWjQyiKDc9VTiukEH

Score

10^/10

formbook ch140 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch140

Decoy

emmaelmes.com

www064123.com

elcerritocannabis.com

cyberf8985.com

kaylaschmidt.com

oyu5ahs8.email

yafuxoxedatuyulsst.com

veniceartsociety.com

reternship.com

swastikglasshouse.com

howay-scientica.com

tobinservices.com

allensmartin.com

cirruswork.com

13895385187.com

bestfitnessbands.com

coworkhotel.com

pipertakespictures.com

dqfzeg.info

qpeliculas.net

Targets

- Target
  
  5c1bbc3ef13f11786c71d2b038ffac9d_JaffaCakes118
- Size
  
  857KB
- MD5
  
  5c1bbc3ef13f11786c71d2b038ffac9d
- SHA1
  
  782901838bef058386683429bde3f10926f226da
- SHA256
  
  a925156696d4acad19f9063afbd082d0fccbcca820e262a91e730077705ab2a5
- SHA512
  
  e93cf0d6a4ec73b75e28189331fd6b8cc5b5d65706725ff35418727429e50e9f292286e136edc289afd31e585d5f6b436a125a9276dc0659b8987dd9ab6b7ce4
- SSDEEP
  
  12288:XkESTi3VrUwuW1ScWxRL7QZwupHHRi//ASc9VTiukEH:XkESTi3tUrWpWjQyiKDc9VTiukEH
Score

10^/10

formbook ch140 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Formbook payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookch140persistenceratspywarestealertrojan

behavioral2