Overview

overview

10

Static

static

3

9b288f1ed4...18.exe

windows7-x64

10

9b288f1ed4...18.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9b288f1ed4b43253489dbd03b8902445_JaffaCakes118

  • Size

    847KB

  • Sample

    240403-aqsrkaab5w

  • MD5

    9b288f1ed4b43253489dbd03b8902445

  • SHA1

    1aaaf8dcc605ec1ce72bbadea6655ce26eb31517

  • SHA256

    fe68fa8aa8522badacc0c97554cd4a1b8d466dd16dc61b86542e799db0d1f7ae

  • SHA512

    e22b548195c3528869d0f67b0036fab1f95c6f74e70a8b77b829822487916e99c5fe12b49635856c667ee78a459163dbdb899c0833d9c8502246180b74096db1

  • SSDEEP

    12288:TaOZoS4FJfBSkkkkkkkkkkkkkkx9L+kIkkvkkkkkkkk7ZLmfKWYEh2JmDt1J3y/R:QXklIKyWYI2IhfYl12Hk

Score
10/10
formbookhs3hevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hs3h

Decoy

slairt.com

teresasellsflorida.com

resouthcarolina.com

npccfbf.com

hutshed.com

westatesmarking.com

rustmonkeys.com

kagawa-rentacar.com

easyvoip-system.com

admorinsulation.com

ericaleighjensen.com

zhonghaojiaju.net

apple-iphone.xyz

b0t.info

torgetmc.xyz

lawrencemargarse.com

6123655.com

macdonalds-delivery.com

cvpfl.com

ayudaparaturent.com

Targets

    • Target

      9b288f1ed4b43253489dbd03b8902445_JaffaCakes118

    • Size

      847KB

    • MD5

      9b288f1ed4b43253489dbd03b8902445

    • SHA1

      1aaaf8dcc605ec1ce72bbadea6655ce26eb31517

    • SHA256

      fe68fa8aa8522badacc0c97554cd4a1b8d466dd16dc61b86542e799db0d1f7ae

    • SHA512

      e22b548195c3528869d0f67b0036fab1f95c6f74e70a8b77b829822487916e99c5fe12b49635856c667ee78a459163dbdb899c0833d9c8502246180b74096db1

    • SSDEEP

      12288:TaOZoS4FJfBSkkkkkkkkkkkkkkx9L+kIkkvkkkkkkkk7ZLmfKWYEh2JmDt1J3y/R:QXklIKyWYI2IhfYl12Hk

    Score
    10/10
    formbookhs3hevasionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks