Overview

overview

10

Static

static

3

f977c49f21...18.exe

windows7-x64

10

f977c49f21...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f977c49f21e8d60f6155a1f7c2e03998_JaffaCakes118

  • Size

    927KB

  • Sample

    240419-epf4lagc24

  • MD5

    f977c49f21e8d60f6155a1f7c2e03998

  • SHA1

    45c356d32e688a3bc54320ae78d0afa40bd91ea4

  • SHA256

    114978bf0570247af3841ce1a27168bbc3332b1332729e1924994db5b3831264

  • SHA512

    e3f285cac7e31a8d090c85d0169f0704a70f979299236a25ec4831f45b5c64e7769e0b385af64000e8377f7a903f63e7abed757fbc1703bc902e6c2db7b09cbc

  • SSDEEP

    12288:7P3CFwxyPMe0b97ehLvu4wTHHLgnVi+Yv1jkZVpFaBxF7O7yaUVKnpPpEP2K/Wp3:7P33UUeKehLVwHHQVsvG5mxwOahpPG

Score
10/10
formbookqbbdratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

qbbd

Decoy

sympa.digital

psm-gen.com

migliodoroparkhotelercolano.com

aloftopshop.com

hybridsonic.com

thomashomecenter.net

randsgoods.com

bambirtuevirtualex.com

fairlepoint.com

1hourcovidswab.com

botancanta.com

steelvalleyburners.com

bokket.com

etihadcafe.com

pretendcash.com

jacquesweyers-studios.com

estanteseletiva.com

bsan.life

citestbiz1597720556.com

msvwalker.com

Targets

    • Target

      f977c49f21e8d60f6155a1f7c2e03998_JaffaCakes118

    • Size

      927KB

    • MD5

      f977c49f21e8d60f6155a1f7c2e03998

    • SHA1

      45c356d32e688a3bc54320ae78d0afa40bd91ea4

    • SHA256

      114978bf0570247af3841ce1a27168bbc3332b1332729e1924994db5b3831264

    • SHA512

      e3f285cac7e31a8d090c85d0169f0704a70f979299236a25ec4831f45b5c64e7769e0b385af64000e8377f7a903f63e7abed757fbc1703bc902e6c2db7b09cbc

    • SSDEEP

      12288:7P3CFwxyPMe0b97ehLvu4wTHHLgnVi+Yv1jkZVpFaBxF7O7yaUVKnpPpEP2K/Wp3:7P33UUeKehLVwHHQVsvG5mxwOahpPG

    Score
    10/10
    formbookqbbdratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks