formbook | e9c319f012e0574d2bb29ff08b5d44ac65cacdbbd89532e9ad489e94022e621d | Triage

Sharing

General

Target

9c29874373b8bcbc831002ce5494124a_JaffaCakes118
Size

613KB
Sample

241125-r6g4fa1qhz
MD5

9c29874373b8bcbc831002ce5494124a
SHA1

007fe9849818beb13411dbbbcc67dfa1705e223e
SHA256

e9c319f012e0574d2bb29ff08b5d44ac65cacdbbd89532e9ad489e94022e621d
SHA512

9ecd05ea153ff669ce3671f88a11ed01ca2f72d2f020fe3ccdcb43108108d2acc289d95f52e5b2fae9cb5711537ea04a79b015d58f7e0f9603572d03862931f0
SSDEEP

12288:HjiDyb2Ky6PJsw1Z05z2sR/y8eMMyuI9xWwjozwk/+nlkh4adbDK17suTJ:DiDyb2KfBJ1Z05ysFy8eMMyuIzWmhYeX

Score

10^/10

formbook chu20 bootkit discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

chu20

Decoy

bringingenglewoodtogether.com

corrisneaker.com

findthesellers.info

118isp.com

vrsconcrete.com

tv-format.com

zs-chuangjian.com

karolczyk.online

amacproducts.com

paraisoboipeba.com

eracto.site

secretgardenrsf.com

village-realty.com

penlogos.com

godhasthe.solutions

dow.care

loadgid2sd.com

viewfromthedocs.com

abobo.site

blacksungroupinternational.com

Targets

- Target
  
  MAERSK Tracking Document.scr
- Size
  
  924KB
- MD5
  
  3a8f82508c711f924c54faa42d31a59a
- SHA1
  
  b97dc139f2d5027e74f03b1ef9e0949a83d62c54
- SHA256
  
  54bd1e36470a85b388bf211308b661eb8f6cf52300ed006a8adaa3d9d087cf9d
- SHA512
  
  288aa5b52e6082c383385003b806bf75d9ef17990b3fc6acb5cac5e20710b4a0125729d556a907336269c778fc5bd283c2b2d606230f4729f1515be2d5e69545
- SSDEEP
  
  12288:AiB4sLf+BvqbT+ZJjHKqrKdLazzSYCUZRFRrKdFP55FW/Bw8ytA7RATi+esTCmf:AiB4PlFJWqQLkJezjyBjytA7S2mf
Score

10^/10

formbook chu20 bootkit discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Deletes itself
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookchu20bootkitdiscoverypersistenceratspywarestealertrojan

behavioral2

formbookdiscoveryspywarestealertrojan