Overview

overview

10

Static

static

3

5f7a7b8673...18.exe

windows7-x64

10

5f7a7b8673...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5f7a7b867374de7ce4277fd5c766312e_JaffaCakes118

  • Size

    322KB

  • Sample

    240520-re8gbadh9v

  • MD5

    5f7a7b867374de7ce4277fd5c766312e

  • SHA1

    763ea3f600136fd957bd7c42f148d42a6eb39621

  • SHA256

    dc9f16d932383754d9fbe28b7fbf59f3e5af1754582847981d264aa3225e1e17

  • SHA512

    7013ef483920b04972c69278b90146d6102e297a28e0db751d136c652da82b3a0720983432d253aeeb2540b748b423ac0acf71add0cfc83a89025bbdbfad14d6

  • SSDEEP

    6144:I8cXFf4JCjVyW64Y+oz993q8WxHz8VfcBN8Sq8Ul4X1NNHMsM7cuE8J:I8kiRox/nUQNssM7c3

Score
10/10
formbooksaratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

sa

Decoy

brunoshooters.net

ceritangesex.win

ralphnation.com

taylortalks.com

immense.money

qianworld.net

smartphone.courses

khflorida.com

savingsaccountfree.technology

vcxnyi.info

spiceupyourspanish.com

ahwatukeeelectriciannow.com

sellinghomeswithlindsey.com

mychurch.site

baodingjinrongxiehui.com

xfun.ltd

fcmol.com

rudolfbike.com

nahuojie.net

protect-account-now.com

Targets

    • Target

      5f7a7b867374de7ce4277fd5c766312e_JaffaCakes118

    • Size

      322KB

    • MD5

      5f7a7b867374de7ce4277fd5c766312e

    • SHA1

      763ea3f600136fd957bd7c42f148d42a6eb39621

    • SHA256

      dc9f16d932383754d9fbe28b7fbf59f3e5af1754582847981d264aa3225e1e17

    • SHA512

      7013ef483920b04972c69278b90146d6102e297a28e0db751d136c652da82b3a0720983432d253aeeb2540b748b423ac0acf71add0cfc83a89025bbdbfad14d6

    • SSDEEP

      6144:I8cXFf4JCjVyW64Y+oz993q8WxHz8VfcBN8Sq8Ul4X1NNHMsM7cuE8J:I8kiRox/nUQNssM7c3

    Score
    10/10
    formbooksaratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks