formbook | a841cd61602019eeb2af295482f83c89032aa25c59457a83a1a3f2c275961989 | Triage

Submit
Reports

Overview

overview

Static

static

1

9dde617fbe...18.rtf

windows7-x64

9dde617fbe...18.rtf

windows10-2004-x64

1

Sharing

General

Target

9dde617fbec0417339ab2bfe4ccc3af8_JaffaCakes118
Size

857KB
Sample

240611-mh2qqatcrf
MD5

9dde617fbec0417339ab2bfe4ccc3af8
SHA1

8b2ee2277b339c23e48c3aa93a570e8932aa6160
SHA256

a841cd61602019eeb2af295482f83c89032aa25c59457a83a1a3f2c275961989
SHA512

d0538086f3a1e676a442bd0518e1eec3367bd4f5c5e92b8e104ee3811336fc186ace34c8eaf3b113353609ffc1855005a075f5b188454652f442dc61234c83f8
SSDEEP

24576:FNjlDxKqaS4LQHn5r1Yb8bdt/EtOc+xuNjll:m

Score

10^/10

formbook ch49 persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

9dde617fbec0417339ab2bfe4ccc3af8_JaffaCakes118.rtf

Resource

win7-20240221-en

formbook ch49 persistence rat spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

9dde617fbec0417339ab2bfe4ccc3af8_JaffaCakes118.rtf

Resource

win10v2004-20240508-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch49

Decoy

splashingsuits.com

risingchefs.com

lalune.photo

naturedocclinic.com

sz-dgm.com

dialitica.com

tabletoprentalsnj.com

gullonthebay.net

sszhvip.com

402man.com

365bdc.net

opensourcenoself.com

aarhaluxuryresort.com

gvs-cargo.com

lwhwdx.info

fiw.biz

prismpaintingmi.com

ollie.email

dqrbj.com

tuanlongan.com

kosmetik-ulrike-geusen.com

957yb.com

databasekids.com

oqwbpvg.com

csm.ink

lovelightsuniversity.love

formaciontrespuntocero.com

7mudkg.com

nzokl.info

22craftysheep.com

sibarisdevices.com

directratenow.online

wearskylecom.com

alphamonstersite.review

pawi.ltd

stunningbody-now.com

cbz5z.info

wihmxvs.com

therealotees.com

honifu72.win

hntzzy323huali.com

xn--propriets-prives-iqbg.com

pinpanwedding.com

produsensarungmobil.com

topal-kebab.com

chocophotography.net

getdnd.com

pygmalionshokai.com

lunchwith4.com

jhtdz.com

makemebi.com

matthieuleenhardt.com

aedx2712e1.biz

bioxinformatics.com

ssxnydj.com

elitetecnetwork.com

pulsemetrics.net

olpass.com

joebreezy2018.com

spinlanding.world

boondns.com

sxzhangbei.com

donghuatieyi.com

imageessay.net

crepox.com

Targets

- Target
  
  9dde617fbec0417339ab2bfe4ccc3af8_JaffaCakes118
- Size
  
  857KB
- MD5
  
  9dde617fbec0417339ab2bfe4ccc3af8
- SHA1
  
  8b2ee2277b339c23e48c3aa93a570e8932aa6160
- SHA256
  
  a841cd61602019eeb2af295482f83c89032aa25c59457a83a1a3f2c275961989
- SHA512
  
  d0538086f3a1e676a442bd0518e1eec3367bd4f5c5e92b8e104ee3811336fc186ace34c8eaf3b113353609ffc1855005a075f5b188454652f442dc61234c83f8
- SSDEEP
  
  24576:FNjlDxKqaS4LQHn5r1Yb8bdt/EtOc+xuNjll:m
Score

10^/10

formbook ch49 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookch49persistenceratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy