formbook

General

Target

202a5d15ae9926a1dec141ed13065ad5_JaffaCakes118
Size

501KB
Sample

240507-lbhtlaab5y
MD5

202a5d15ae9926a1dec141ed13065ad5
SHA1

97a84b26c9f2f8a89fbbd8e3c35f673d17704fdf
SHA256

94e25372afeae0e0ef0dad8a783a6534e85f226734ba0ef2fd31625cec9f30c3
SHA512

48db4216a95b40d0f96384a9c3acdf7bc40a1fa7005a5b67a5b45475d8f039dccc579800932019e985952bc018219943f89c9bd59a7e83d57e0a7ba3b411a167
SSDEEP

12288:4N5H2IYf7y99IjxHncQNGt0ToygPUTbRMCdZW:yTYf7R9PNGtMAUTbK

Score

10^/10

formbook um agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

um

Decoy

tophandbagmart.com

indycabinetconnection.com

lastmonthsnews.com

schoolofgeneius.com

talkingtoms.com

pleasefixmyheat.com

nvdough.com

tauruslegal.com

designercoverscustom.com

clubdevfun.com

pourpop.com

republiccreditcoin.com

nmochat.com

techpriors.com

apartmentsomr.com

edjamesjones.com

hxtfgs.com

betturka.media

organicwaisttrainingcorset.com

foxtrotfilm.com

Targets

- Target
  
  202a5d15ae9926a1dec141ed13065ad5_JaffaCakes118
- Size
  
  501KB
- MD5
  
  202a5d15ae9926a1dec141ed13065ad5
- SHA1
  
  97a84b26c9f2f8a89fbbd8e3c35f673d17704fdf
- SHA256
  
  94e25372afeae0e0ef0dad8a783a6534e85f226734ba0ef2fd31625cec9f30c3
- SHA512
  
  48db4216a95b40d0f96384a9c3acdf7bc40a1fa7005a5b67a5b45475d8f039dccc579800932019e985952bc018219943f89c9bd59a7e83d57e0a7ba3b411a167
- SSDEEP
  
  12288:4N5H2IYf7y99IjxHncQNGt0ToygPUTbRMCdZW:yTYf7R9PNGtMAUTbK
Score

10^/10

formbook um agilenet rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Obfuscated with Agile.Net obfuscator

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2