formbook | 2e155653e55de265cfccc7878ca28f97a81a5aaa53ce70220d2480987dbe210b | Triage

Sharing

General

Target

c4df520118d965fb2ab0bde1dcc09ff3_JaffaCakes118
Size

730KB
Sample

240827-m6fhdsxeke
MD5

c4df520118d965fb2ab0bde1dcc09ff3
SHA1

ef4144775c594a5b327c07c303a05d80a02be2a6
SHA256

2e155653e55de265cfccc7878ca28f97a81a5aaa53ce70220d2480987dbe210b
SHA512

c556c0794fd1b8a7dcedce0e6c865e9a98314a262b982558d7e1af9872968f2173c2f73e7942d77210fbbcf43ba26902ad5658bb14d3b1b26bb80c895b5b4080
SSDEEP

12288:/OMm3F8MGhjSyUo7sIcnfDETcX8jf0NLOQL8Iunvmqe:3m1rGhj09IcfATw8jfMLXYnvml

Score

10^/10

formbook ch52 credential_access defense_evasion discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch52

Decoy

olyzee.com

fulguropop.com

oceancountybankruptcylawyer.com

rmrwoods.com

jiegenghualang.com

strongshopping.net

bestifwest.com

ruggedcrossmusic.net

sveja.gmbh

smoothrepairs.info

viemmaotinhhoan.com

thebalancedlifecenter.com

863bifa.com

waldospost.com

tripsinpano.com

usvxhr.loan

sibillaonceuponatimeisnow.com

yodatironil.com

ib-habibmetro.com

dulcescreativos.com

Targets

- Target
  
  c4df520118d965fb2ab0bde1dcc09ff3_JaffaCakes118
- Size
  
  730KB
- MD5
  
  c4df520118d965fb2ab0bde1dcc09ff3
- SHA1
  
  ef4144775c594a5b327c07c303a05d80a02be2a6
- SHA256
  
  2e155653e55de265cfccc7878ca28f97a81a5aaa53ce70220d2480987dbe210b
- SHA512
  
  c556c0794fd1b8a7dcedce0e6c865e9a98314a262b982558d7e1af9872968f2173c2f73e7942d77210fbbcf43ba26902ad5658bb14d3b1b26bb80c895b5b4080
- SSDEEP
  
  12288:/OMm3F8MGhjSyUo7sIcnfDETcX8jf0NLOQL8Iunvmqe:3m1rGhj09IcfATw8jfMLXYnvml
Score

10^/10

formbook ch52 credential_access discovery persistence rat spyware stealer trojan defense_evasion
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Exploitation for Client Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookch52credential_accessdiscoverypersistenceratspywarestealertrojan

behavioral2

defense_evasion