Overview

overview

10

Static

static

1

5c92714c7f...18.exe

windows7-x64

6

5c92714c7f...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118

  • Size

    19KB

  • Sample

    240520-b9pdxsef3s

  • MD5

    5c92714c7fc8fcd425c5e2ef0b4a217b

  • SHA1

    d86c2586952d0082ee0b9d8f62e88356f52a4faf

  • SHA256

    5567b917f6a654268f367ca76a663f87c1e9b44a997cdac64935cc4105014c08

  • SHA512

    eaa139da94753953fb2b5bc02b5a9eb34913c8eb1e13a5e4dc3f81822e9c4702048e581c1725a989ed2733b528ed2da125923084c414620841b8eebc802c9179

  • SSDEEP

    384:LBA6H714HOnS7B1scgfYdfeB68EDgf2h8:LBWHuS5gQEREUf2h8

Score
10/10
formbookndspersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nds

Decoy

superiortelecare.com

banxtube.com

tartonsprconstruction.com

r3msportsgroup.net

gcpplusquote-qa.com

ny004.xyz

solomonislandsforum.com

credit2wealthuniversity.com

parkavenueheightscd.com

millhillattorneys.com

gofoodreport.com

szylgy.com

bcsleadership.com

bestmichigancharters.com

financiant.com

alimentosmonteolivo.com

marastrawberry.com

centraxix.com

indexofscience.com

editorialpoints.com

Targets

    • Target

      5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118

    • Size

      19KB

    • MD5

      5c92714c7fc8fcd425c5e2ef0b4a217b

    • SHA1

      d86c2586952d0082ee0b9d8f62e88356f52a4faf

    • SHA256

      5567b917f6a654268f367ca76a663f87c1e9b44a997cdac64935cc4105014c08

    • SHA512

      eaa139da94753953fb2b5bc02b5a9eb34913c8eb1e13a5e4dc3f81822e9c4702048e581c1725a989ed2733b528ed2da125923084c414620841b8eebc802c9179

    • SSDEEP

      384:LBA6H714HOnS7B1scgfYdfeB68EDgf2h8:LBWHuS5gQEREUf2h8

    Score
    10/10
    formbookndspersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Modifies WinLogon for persistence

      persistence

    • Formbook payload

      rat

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks