Overview

overview

10

Static

static

3

786f7116b1...18.exe

windows7-x64

10

786f7116b1...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    786f7116b110303287aed5571dad3789_JaffaCakes118

  • Size

    403KB

  • Sample

    240527-jvbhhsdb3v

  • MD5

    786f7116b110303287aed5571dad3789

  • SHA1

    1ac724333f61654bb7560721e6420c014bcba932

  • SHA256

    704e900ae3d5645795927711e8f35d8b424ffcbbc4535f71346ea0feafebf14a

  • SHA512

    5f5f22b55fe1014217fe3a258797c9c77cfca47aa278893eae2cf2ea9037c06df54d9a6a39ff1b3d12d3369b328518ef33da7b1850157c0b0a4c1854f24a88a5

  • SSDEEP

    12288:sJixv2zv1grMilAdAYyI2QbWk/NEoQI4shdPYJdBJ:Gi42RlafyIhN/yo9vhuJLJ

Score
10/10
formbookaa3persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

aa3

Decoy

dorzi.xyz

twentysx.net

myvoteatwork.com

linaje-escogido.com

godgunsncountry.com

bagudangtarung01.net

gemwalljewelry.com

orchidiris.com

opticalucy.com

yoniathome.com

tgg-iris.com

kyjade.com

smtfarming.com

diavacations.com

createkillerproducts.com

mydiscountexpress.com

yangshuotuozhan.com

architecture53seven.com

afitnessdiary.com

baobabusa.com

Targets

    • Target

      786f7116b110303287aed5571dad3789_JaffaCakes118

    • Size

      403KB

    • MD5

      786f7116b110303287aed5571dad3789

    • SHA1

      1ac724333f61654bb7560721e6420c014bcba932

    • SHA256

      704e900ae3d5645795927711e8f35d8b424ffcbbc4535f71346ea0feafebf14a

    • SHA512

      5f5f22b55fe1014217fe3a258797c9c77cfca47aa278893eae2cf2ea9037c06df54d9a6a39ff1b3d12d3369b328518ef33da7b1850157c0b0a4c1854f24a88a5

    • SSDEEP

      12288:sJixv2zv1grMilAdAYyI2QbWk/NEoQI4shdPYJdBJ:Gi42RlafyIhN/yo9vhuJLJ

    Score
    10/10
    formbookaa3ratspywarestealertrojanpersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks