Overview

overview

10

Static

static

1

6ac766cf73...18.rtf

windows7-x64

10

6ac766cf73...18.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6ac766cf7340aa9c7631eed633a88aa6_JaffaCakes118

  • Size

    2.5MB

  • Sample

    240523-ngzqeaec84

  • MD5

    6ac766cf7340aa9c7631eed633a88aa6

  • SHA1

    698ff575ba75225c92c20b645af9b4c33e294a72

  • SHA256

    82a752fc58acc797eedefc866ac9cebd765da7cc6aa070768ab475678605e24a

  • SHA512

    0842f38af644499735a920ec617176ed3c23dbb07c4cf4381dbfda3ac43630603f16d2bfa2dc37e18be63ac8ef3680ba9bec8495891b03417743bfc776e285f9

  • SSDEEP

    49152:TyY3M1FyYIZpr+0vRKLeEz9bJjomfVee26os:TyY3M1FyYIZpr+0vRKLeEz9bJjomfVea

Score
10/10
formbookbragilenetpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

br

Decoy

q1k0iyiu2.biz

waqsx.info

doctorwigglez.com

truebluego.com

manbet405.com

shopuy.site

karabukkuzeyteknik.com

sgxiayu.com

almvie.com

veteridom.com

michelleeve.com

crabitech.com

envyofamerica.com

joggingtip.com

houseandpets.com

tudekoracje.com

koutheparea.com

fd-electronic.com

ukmrna.net

pizzalato.com

Targets

    • Target

      6ac766cf7340aa9c7631eed633a88aa6_JaffaCakes118

    • Size

      2.5MB

    • MD5

      6ac766cf7340aa9c7631eed633a88aa6

    • SHA1

      698ff575ba75225c92c20b645af9b4c33e294a72

    • SHA256

      82a752fc58acc797eedefc866ac9cebd765da7cc6aa070768ab475678605e24a

    • SHA512

      0842f38af644499735a920ec617176ed3c23dbb07c4cf4381dbfda3ac43630603f16d2bfa2dc37e18be63ac8ef3680ba9bec8495891b03417743bfc776e285f9

    • SSDEEP

      49152:TyY3M1FyYIZpr+0vRKLeEz9bJjomfVee26os:TyY3M1FyYIZpr+0vRKLeEz9bJjomfVea

    Score
    10/10
    formbookbragilenetpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks