General
-
Target
18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118
-
Size
424KB
-
Sample
240505-vbypgsad87
-
MD5
18882465f8b6e72a46669d4aa2e78cb1
-
SHA1
b05a070b6c3fec5330d1413594a4b17b19099a02
-
SHA256
6e521645df736e76b57cdf6996cee4a5148e649cee75be8f36ccfb008f047fa6
-
SHA512
388e34cfc7a43a062e0c389611036b7953a99d4def7699852d875c2fcdc7c6a79205d85fa128aae9d48d9c37888d60611390640086a7e7a3e4b0e38173964e44
-
SSDEEP
6144:6N9JYSDAzaiTCXkJNlMgpV5Nj3QmlsPt5GM/x1lPWojLWYM+6LpfeR14Kn3r/u/t:67RAzTukj/Nj5OlzW3ppWbhn3TcWId
Malware Config
Extracted
formbook
3.8
h308
sewrelax.com
southbaycurling.rocks
hongju101.com
nikkismithonline.com
bluprl.net
slursthisshark.com
smootord.com
buyoregonhemp.com
stepstolight.com
mchausverwalter.com
cofidis.cloud
queenartjewellery.com
samoedrasalvageengineers.com
skull.ltd
leapmotors.net
gayo.ltd
philborremans.com
yeezywaverunner700.com
febriananas.com
railor-music.com
Targets
-
-
Target
18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118
-
Size
424KB
-
MD5
18882465f8b6e72a46669d4aa2e78cb1
-
SHA1
b05a070b6c3fec5330d1413594a4b17b19099a02
-
SHA256
6e521645df736e76b57cdf6996cee4a5148e649cee75be8f36ccfb008f047fa6
-
SHA512
388e34cfc7a43a062e0c389611036b7953a99d4def7699852d875c2fcdc7c6a79205d85fa128aae9d48d9c37888d60611390640086a7e7a3e4b0e38173964e44
-
SSDEEP
6144:6N9JYSDAzaiTCXkJNlMgpV5Nj3QmlsPt5GM/x1lPWojLWYM+6LpfeR14Kn3r/u/t:67RAzTukj/Nj5OlzW3ppWbhn3TcWId
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-