Overview

overview

10

Static

static

1

6fe45f14b8...18.rtf

windows7-x64

10

6fe45f14b8...18.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6fe45f14b8979c44af50fb66d899dc17_JaffaCakes118

  • Size

    857KB

  • Sample

    240524-1nmewace34

  • MD5

    6fe45f14b8979c44af50fb66d899dc17

  • SHA1

    b373d5208689c21928d124df0bb2cef405f2f77e

  • SHA256

    a8833208d6a934b15334a02ecaee6df9939786f469be1a8d3944a43a53571a43

  • SHA512

    f6836a57d8a8ab7096807ab12c4d89c655796803911764576b66fb29e69309e7320f4908b93a2d24ff681475b9d676698b5f00d6abb4fb47c5b4b5f1aced142f

  • SSDEEP

    12288:IXcp2r+s25xYf8Hb0oLAarHDaYdIZqUrz3s2aXcp2r7:IXcp2Cs25bvpdIv3s2aXcp2H

Score
10/10
formbookch57persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch57

Decoy

langoloverdeselvino.com

sjt5mbd68t.com

gongshilicai.com

carteblanchestudios.com

bctechnicaltraining.com

shokuyo.net

topminde.com

harvardcs.net

ssc-8.com

apshangwei.com

piratedlife.com

caricata.com

xulingxianzhen.com

mtofilm.com

gfuzz.online

satanslibrary.com

wooloficeland.com

emilengler.com

gemvoid.com

magussbrasil.com

Targets

    • Target

      6fe45f14b8979c44af50fb66d899dc17_JaffaCakes118

    • Size

      857KB

    • MD5

      6fe45f14b8979c44af50fb66d899dc17

    • SHA1

      b373d5208689c21928d124df0bb2cef405f2f77e

    • SHA256

      a8833208d6a934b15334a02ecaee6df9939786f469be1a8d3944a43a53571a43

    • SHA512

      f6836a57d8a8ab7096807ab12c4d89c655796803911764576b66fb29e69309e7320f4908b93a2d24ff681475b9d676698b5f00d6abb4fb47c5b4b5f1aced142f

    • SSDEEP

      12288:IXcp2r+s25xYf8Hb0oLAarHDaYdIZqUrz3s2aXcp2r7:IXcp2Cs25bvpdIv3s2aXcp2H

    Score
    10/10
    formbookch57persistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Formbook payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks