formbook

General

Target

de9da3abf6aafbfc2d213f88329c30a3_JaffaCakes118
Size

268KB
Sample

240913-wj81vs1bqc
MD5

de9da3abf6aafbfc2d213f88329c30a3
SHA1

d52121a4a75a92a6c5ce5dd00a3aa64303118c0e
SHA256

93908b3545a7c137ee9d9b8c496fc01b2847538bc25768470bf3c2665c6a3b32
SHA512

be6798ee3f457363c8306738125f3d9fd8705c81c67dab4bdd5b2bcf060af9afa8ee9825096e1f2c4014028aac9eebbfb4be2b4374c35a8ac4977ca6c3a1d206
SSDEEP

6144:3uL1hTBODR+/O57y9VqnWVjdwn7bobIJ0J9+JuW:kh8E/d9VqnWxdwYbImJ9mf

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gdo

Decoy

algarverentalhome.com

zhmuying.com

familyinflow.com

tsushin.tech

pisosnuevosenbarajas.com

papeles-pintados.biz

october12017.info

armcodev.com

jumo-7.com

creativaph.net

moriteeguesthouse.com

bigdogowners.com

xunleigesp.com

danosporagua.com

xn--mkro7sz6qzxo.com

fidelitymoving.com

shreddingcycles.com

oldschoolquarterbacks.net

googlegtx.com

collinnorotsky.com

Targets

- Target
  
  PO#9943441.xls.exe
- Size
  
  887KB
- MD5
  
  d805ae4b8c9cc7d49432a7dd3f5de693
- SHA1
  
  cdb73e6bd75bf2b7a4ef54435a5dd0179c67693b
- SHA256
  
  415c22ceb1927b67c21bd55423f75713b29ca6950e806387e28abbbf19ccc8bd
- SHA512
  
  3cd4ae4964e0a491f5819c554aa1379f98d9b834590f309b450e8943892a322a7ee5a17a925f311dc83155eaa7a058fe75b9ed969e6ff5155160d0bfa4c9b2ca
- SSDEEP
  
  6144:0V2wunldSL9/jlaD8jzurlsY4/Pg1IWSzOvZFTiEExL08koTxBroW:0V2ruLxjlaqmlsYKPg1k4FGEE28V
Score

10^/10

formbook gdo agilenet discovery rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2