Overview

overview

10

Static

static

3

fc612a9f51...18.exe

windows7-x64

10

fc612a9f51...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc612a9f5159c2119e9845550cf76d40_JaffaCakes118

  • Size

    477KB

  • Sample

    240420-kr2qzade5z

  • MD5

    fc612a9f5159c2119e9845550cf76d40

  • SHA1

    b749e66a8820d07795faed642818d760fcba27be

  • SHA256

    14e57b9ae3f67594d88cd7f6f83ab0449b3cb407a6eaba0ad45e65615c6d74ea

  • SHA512

    2b8adca18c724250aa46e6b183d85a10e9d0d572a297f772ce4a4d773fbf60d3f063ee7328e3eee137ac11ec1a1b2b1ed26138dfe3eb111dcf21e1cfc01f65b1

  • SSDEEP

    6144:IJzKf/zmCja4qQmQCrcbnFuuUcTFx0T21BOcCSaa1MSSB6T1KpQcHCbh:IJY1ja4qQ+rcbFudkuN/S/1MSSPQcHK

Score
10/10
formbookfrpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

fr

Decoy

geturstuff.life

kisakollections.com

bkipmtahuna.com

aoxou.com

thebigandfreeupdates.download

utvtribe.com

icontoken.com

naturexperience.com

h2sentertainmentcafe.com

careerproresumepa.com

franchiseindia.directory

psychouniversity.com

traveng.com

mylifestylebyclem.com

greentmraelty.com

imoneg.com

lupusrebelacademy.com

ghqxc.info

lylulidbd.com

dalfreestyle.com

Targets

    • Target

      fc612a9f5159c2119e9845550cf76d40_JaffaCakes118

    • Size

      477KB

    • MD5

      fc612a9f5159c2119e9845550cf76d40

    • SHA1

      b749e66a8820d07795faed642818d760fcba27be

    • SHA256

      14e57b9ae3f67594d88cd7f6f83ab0449b3cb407a6eaba0ad45e65615c6d74ea

    • SHA512

      2b8adca18c724250aa46e6b183d85a10e9d0d572a297f772ce4a4d773fbf60d3f063ee7328e3eee137ac11ec1a1b2b1ed26138dfe3eb111dcf21e1cfc01f65b1

    • SSDEEP

      6144:IJzKf/zmCja4qQmQCrcbnFuuUcTFx0T21BOcCSaa1MSSB6T1KpQcHCbh:IJY1ja4qQ+rcbFudkuN/S/1MSSPQcHK

    Score
    10/10
    formbookfrpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks