formbook | 5c7e88f3840237ba479019cc2c86421db7f695c13dfeffe7f2db121158e42d81 | Triage

Submit
Reports

Overview

overview

Static

static

1

bbaaca3df2...18.rtf

windows7-x64

bbaaca3df2...18.rtf

windows10-2004-x64

1

Sharing

General

Target

bbaaca3df24ceb257d22854cac390f46_JaffaCakes118
Size

973KB
Sample

240618-ngr1kavhpm
MD5

bbaaca3df24ceb257d22854cac390f46
SHA1

42eabeb3ee7475b1a68babe2aa96118c6c3e6e1e
SHA256

5c7e88f3840237ba479019cc2c86421db7f695c13dfeffe7f2db121158e42d81
SHA512

abc5b31f99bd39862fa6adad60191bcb26f9fcfd72c12bb67dca62dc6064858ee67b4bc8498a2eaf629a820bb2528d0a8a534c3a2375735008c5c4f4223e041e
SSDEEP

24576:s4zQaPkDpZdKUUyUn6HaNpKwD0gpV6HwR:J

Score

10^/10

formbook xa persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

bbaaca3df24ceb257d22854cac390f46_JaffaCakes118.rtf

Resource

win7-20240611-en

formbook xa persistence rat spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

bbaaca3df24ceb257d22854cac390f46_JaffaCakes118.rtf

Resource

win10v2004-20240508-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

xa

Decoy

laplayaencantada.net

francesemartin.biz

mydailyadverts.biz

themansiononwalnut.com

kccoin.net

lighthousenw.net

ideadubai.com

coat.ink

happiestmarriage101.com

god16.com

datecleanse.com

559453.top

nagwarerecords.com

xn--husw9zrks.com

welfarereform.net

grupocastedia.com

aqua-armor.online

hopugo.com

mylovesociety.com

exploremusicjax.com

allizo-finance.com

tcfdwx.com

sc.company

gpkpdbj.com

sbawar.com

truemed-shop.com

logantherapy.com

mjstfy.men

gahannalionsroar.com

nativelychicoil.com

seepalmdeserthomesforsale.com

bigsuvfan.live

baoxianxian.com

pakietowaniewakacji.com

slot44.online

johncparsons2.net

wanjiahuishou.com

healthcare-analytics-uk.com

awoara.com

aspenpic.com

godlysaw.cat

6xv2ebf.info

eczvpo.men

gzjrkj.net

softland.biz

customercarehelp.net

6095rr.com

salshowdocesesalgados.com

sckltm.info

wykmall.com

networksupport.world

170crestviewdrive.com

tahchinfoods.com

vqovi.info

patrickheffernanlighting.com

oilheatcare.com

smallcapwonder.com

6figureacademic.com

jsthxp.men

strengthexplain.net

commentchatva.com

multiuniverstring.com

coolveer.com

provenexecs.net

mansiobbok.com

Targets

- Target
  
  bbaaca3df24ceb257d22854cac390f46_JaffaCakes118
- Size
  
  973KB
- MD5
  
  bbaaca3df24ceb257d22854cac390f46
- SHA1
  
  42eabeb3ee7475b1a68babe2aa96118c6c3e6e1e
- SHA256
  
  5c7e88f3840237ba479019cc2c86421db7f695c13dfeffe7f2db121158e42d81
- SHA512
  
  abc5b31f99bd39862fa6adad60191bcb26f9fcfd72c12bb67dca62dc6064858ee67b4bc8498a2eaf629a820bb2528d0a8a534c3a2375735008c5c4f4223e041e
- SSDEEP
  
  24576:s4zQaPkDpZdKUUyUn6HaNpKwD0gpV6HwR:J
Score

10^/10

formbook xa persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Formbook payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookxapersistenceratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy