formbook

General

Target

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118
Size

410KB
Sample

240524-d5wnjsbe8t
MD5

6d376f79e076fe8e311efac7bbc5499a
SHA1

2193c942e7d02b4627aa0802fb0107dba9b0068f
SHA256

1bd1c6bae8d74df3a44a814fa9f81f1988334317602c2d5f6d468617a14817ed
SHA512

c122aee705ae255855eacf61043969990e33fdeb7188356432e67bea2b1b983c485dd3b4a426bded895d4837785687242a5a3c242e2a45fe31abe05accfbd937
SSDEEP

12288:z4/ucsCfrLEnFHncFQhNe0GM1s65FHbLiSvU6Oui4am3YaCYmO2VdjVTfPKkD0Qs:z4/uY4nlcWNe0KOg2

Score

10^/10

formbook jo agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

jo

Decoy

udcrpf.win

bionicsvr.com

mitesserentferner.com

testtestsmbretail9517.info

wapatvvivolntrernet.com

tribemembers.com

buildings.exchange

progaero.com

aquifuera.com

unglockinge.com

theeoschronicles.com

xn--910ba670d24ddupq1a.com

nihalin.com

indivisiblesb.info

talitagustosa.com

zblogasp.com

shanshanjiu.com

clevel-executive-mail-suite.net

cover-necessary.com

devfunportal.com

Targets

- Target
  
  6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118
- Size
  
  410KB
- MD5
  
  6d376f79e076fe8e311efac7bbc5499a
- SHA1
  
  2193c942e7d02b4627aa0802fb0107dba9b0068f
- SHA256
  
  1bd1c6bae8d74df3a44a814fa9f81f1988334317602c2d5f6d468617a14817ed
- SHA512
  
  c122aee705ae255855eacf61043969990e33fdeb7188356432e67bea2b1b983c485dd3b4a426bded895d4837785687242a5a3c242e2a45fe31abe05accfbd937
- SSDEEP
  
  12288:z4/ucsCfrLEnFHncFQhNe0GM1s65FHbLiSvU6Oui4am3YaCYmO2VdjVTfPKkD0Qs:z4/uY4nlcWNe0KOg2
Score

10^/10

formbook jo agilenet rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Obfuscated with Agile.Net obfuscator

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2