Overview

overview

10

Static

static

3

2db31476ba...18.exe

windows7-x64

10

2db31476ba...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2db31476ba89c2eb13093df7a02c45ab_JaffaCakes118

  • Size

    373KB

  • Sample

    240329-1rnr4saf9s

  • MD5

    2db31476ba89c2eb13093df7a02c45ab

  • SHA1

    0ecbb0458d025f27fa946b7176e76bc05df8795d

  • SHA256

    c6b8a03b94f79fb661cb2bdd0e8a332103ab2974c288b6ab7740acf6aa45af5d

  • SHA512

    57656d89ab7fdf8627cc510d5482eee8d89401d3d8de7743a94ab3341567a40332c2835199b92dafc488f36a26f3f2bb603209367e7dccaafe92ebf8a89f4596

  • SSDEEP

    6144:XVV4XoMMkhB9zJOWH4+mnW/OA8IAJ+qZKmHIJJlhfkXjeSFyzoU5LCf5+PXjf2iC:XViXoHSBZJpY+9/j8yqZKKIJXhsXi2ey

Score
10/10
formbookg8niratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g8ni

Decoy

nickmowat.com

garethjame.biz

colibrilift.com

vulnerabilitylabs.one

neuro-ai-web-ru.website

16mcnaestreetmooneeponds.com

bestofstmaarten.net

meditelier.com

ragnarduke.com

escueladecampo.com

vongtayvn.com

inmemoriamaan.com

yourpeoplemanager.com

r6-gytr.com

agreeablebeauty.com

snpconfirms.com

tribalurq.quest

purafuse.com

cisco-training-course.com

wery.top

Targets

    • Target

      2db31476ba89c2eb13093df7a02c45ab_JaffaCakes118

    • Size

      373KB

    • MD5

      2db31476ba89c2eb13093df7a02c45ab

    • SHA1

      0ecbb0458d025f27fa946b7176e76bc05df8795d

    • SHA256

      c6b8a03b94f79fb661cb2bdd0e8a332103ab2974c288b6ab7740acf6aa45af5d

    • SHA512

      57656d89ab7fdf8627cc510d5482eee8d89401d3d8de7743a94ab3341567a40332c2835199b92dafc488f36a26f3f2bb603209367e7dccaafe92ebf8a89f4596

    • SSDEEP

      6144:XVV4XoMMkhB9zJOWH4+mnW/OA8IAJ+qZKmHIJJlhfkXjeSFyzoU5LCf5+PXjf2iC:XViXoHSBZJpY+9/j8yqZKKIJXhsXi2ey

    Score
    10/10
    formbookg8niratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks