Overview

overview

10

Static

static

3

6d376f79e0...18.exe

windows7-x64

10

6d376f79e0...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118

  • Size

    410KB

  • Sample

    240524-d5wnjsbe8t

  • MD5

    6d376f79e076fe8e311efac7bbc5499a

  • SHA1

    2193c942e7d02b4627aa0802fb0107dba9b0068f

  • SHA256

    1bd1c6bae8d74df3a44a814fa9f81f1988334317602c2d5f6d468617a14817ed

  • SHA512

    c122aee705ae255855eacf61043969990e33fdeb7188356432e67bea2b1b983c485dd3b4a426bded895d4837785687242a5a3c242e2a45fe31abe05accfbd937

  • SSDEEP

    12288:z4/ucsCfrLEnFHncFQhNe0GM1s65FHbLiSvU6Oui4am3YaCYmO2VdjVTfPKkD0Qs:z4/uY4nlcWNe0KOg2

Score
10/10
formbookjoagilenetratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

jo

Decoy

udcrpf.win

bionicsvr.com

mitesserentferner.com

testtestsmbretail9517.info

wapatvvivolntrernet.com

tribemembers.com

buildings.exchange

progaero.com

aquifuera.com

unglockinge.com

theeoschronicles.com

xn--910ba670d24ddupq1a.com

nihalin.com

indivisiblesb.info

talitagustosa.com

zblogasp.com

shanshanjiu.com

clevel-executive-mail-suite.net

cover-necessary.com

devfunportal.com

Targets

    • Target

      6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118

    • Size

      410KB

    • MD5

      6d376f79e076fe8e311efac7bbc5499a

    • SHA1

      2193c942e7d02b4627aa0802fb0107dba9b0068f

    • SHA256

      1bd1c6bae8d74df3a44a814fa9f81f1988334317602c2d5f6d468617a14817ed

    • SHA512

      c122aee705ae255855eacf61043969990e33fdeb7188356432e67bea2b1b983c485dd3b4a426bded895d4837785687242a5a3c242e2a45fe31abe05accfbd937

    • SSDEEP

      12288:z4/ucsCfrLEnFHncFQhNe0GM1s65FHbLiSvU6Oui4am3YaCYmO2VdjVTfPKkD0Qs:z4/uY4nlcWNe0KOg2

    Score
    10/10
    formbookjoagilenetratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks