Overview

overview

10

Static

static

3

419b8fbf8c...18.exe

windows7-x64

10

419b8fbf8c...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    419b8fbf8ca9417802fec54932b21f75_JaffaCakes118

  • Size

    420KB

  • Sample

    240330-w6q4kace47

  • MD5

    419b8fbf8ca9417802fec54932b21f75

  • SHA1

    e8e5f943e65532a7317dae25894825cfb8187fdf

  • SHA256

    de5b63f4ffe84d34885e76b8f29147ab33106eeb4b3800d57c0e1edd23866fd8

  • SHA512

    5158408f1e32abe89be6e78f1baf8254293a2c3b160799b0813d471f5db31a8a0816c2431beb0467c007ed0e25567b263b551884e20ee2a5fd01807f46d313d0

  • SSDEEP

    6144:C37ZCkv/N2mK4vZKhrLslLT7yVKxpqjVyQBAHSUf29HwoXFaMRyGbTB5FY:C37ZCc24PmKxXQwft27jbTDi

Score
10/10
formbooku1bsratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u1bs

Decoy

ln-safe-keepingmisva4.xyz

rtfh.xyz

awolin.link

metadlf.com

cardboardcasual.com

psicoterapiahablada.com

spaminator.xyz

hnjqzl.top

dentalyinovasi.site

biosynblas.com

zvyk.store

shreevishwakarmaservices.com

showersplash.com

norbert-roth.com

londoncapitaltraders.com

istanbuldonerkebabheroncity.com

realdiscountsnow.com

marlinplumbingwnc.com

magazinadziavane.com

qantv.com

Targets

    • Target

      419b8fbf8ca9417802fec54932b21f75_JaffaCakes118

    • Size

      420KB

    • MD5

      419b8fbf8ca9417802fec54932b21f75

    • SHA1

      e8e5f943e65532a7317dae25894825cfb8187fdf

    • SHA256

      de5b63f4ffe84d34885e76b8f29147ab33106eeb4b3800d57c0e1edd23866fd8

    • SHA512

      5158408f1e32abe89be6e78f1baf8254293a2c3b160799b0813d471f5db31a8a0816c2431beb0467c007ed0e25567b263b551884e20ee2a5fd01807f46d313d0

    • SSDEEP

      6144:C37ZCkv/N2mK4vZKhrLslLT7yVKxpqjVyQBAHSUf29HwoXFaMRyGbTB5FY:C37ZCc24PmKxXQwft27jbTDi

    Score
    10/10
    formbooku1bsratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks