formbook | a8833208d6a934b15334a02ecaee6df9939786f469be1a8d3944a43a53571a43 | Triage

Sharing

General

Target

6fe45f14b8979c44af50fb66d899dc17_JaffaCakes118
Size

857KB
Sample

240524-1nmewace34
MD5

6fe45f14b8979c44af50fb66d899dc17
SHA1

b373d5208689c21928d124df0bb2cef405f2f77e
SHA256

a8833208d6a934b15334a02ecaee6df9939786f469be1a8d3944a43a53571a43
SHA512

f6836a57d8a8ab7096807ab12c4d89c655796803911764576b66fb29e69309e7320f4908b93a2d24ff681475b9d676698b5f00d6abb4fb47c5b4b5f1aced142f
SSDEEP

12288:IXcp2r+s25xYf8Hb0oLAarHDaYdIZqUrz3s2aXcp2r7:IXcp2Cs25bvpdIv3s2aXcp2H

Score

10^/10

formbook ch57 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch57

Decoy

langoloverdeselvino.com

sjt5mbd68t.com

gongshilicai.com

carteblanchestudios.com

bctechnicaltraining.com

shokuyo.net

topminde.com

harvardcs.net

ssc-8.com

apshangwei.com

piratedlife.com

caricata.com

xulingxianzhen.com

mtofilm.com

gfuzz.online

satanslibrary.com

wooloficeland.com

emilengler.com

gemvoid.com

magussbrasil.com

Targets

- Target
  
  6fe45f14b8979c44af50fb66d899dc17_JaffaCakes118
- Size
  
  857KB
- MD5
  
  6fe45f14b8979c44af50fb66d899dc17
- SHA1
  
  b373d5208689c21928d124df0bb2cef405f2f77e
- SHA256
  
  a8833208d6a934b15334a02ecaee6df9939786f469be1a8d3944a43a53571a43
- SHA512
  
  f6836a57d8a8ab7096807ab12c4d89c655796803911764576b66fb29e69309e7320f4908b93a2d24ff681475b9d676698b5f00d6abb4fb47c5b4b5f1aced142f
- SSDEEP
  
  12288:IXcp2r+s25xYf8Hb0oLAarHDaYdIZqUrz3s2aXcp2r7:IXcp2Cs25bvpdIv3s2aXcp2H
Score

10^/10

formbook ch57 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Formbook payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookch57persistenceratspywarestealertrojan

behavioral2