formbook | JaffaCakes118_43059e0dd5bace9fdfb6336a6cea8c4b2b9d49d976c4857d04dbe37bb2337162

General

Target

JaffaCakes118_43059e0dd5bace9fdfb6336a6cea8c4b2b9d49d976c4857d04dbe37bb2337162
Size

188KB
MD5

a6f860b40de7b575e4d79f76b13a94ce
SHA1

ed50be5ba415adf3863363775fa33cefd37649a0
SHA256

43059e0dd5bace9fdfb6336a6cea8c4b2b9d49d976c4857d04dbe37bb2337162
SHA512

0eeefbcd6fd44b3a55f12eb05bccaf3b593f833a3fdb2701cecf7eb279c7414617a6737f1f8a6a5842270e1a30c4dc6bbe908d8d2ae1b569cd8f3862cd46a291
SSDEEP

3072:rBi3UWrGp0JzjPKhqWqgKKVqKcp3R5SRp4zQXv2O6TSgBVwf:IDzWhQgKKVhcp3R5Sz4zevheVwf

Score

10^/10

rat pf20 formbook

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pf20

Decoy

coldprobe.repair

onlinehealthcare.biz

grandpasstore.com

osakav.online

speakeraudit.com

halltownrealestate.com

pyrobox.pro

lyonem.one

0519jx.net

plumpmail.com

zauna.xyz

villeos.net

zhijiew.com

ek7u8y1jr.com

bayuscool.com

markerpoint.online

around.cash

diarpohody.online

mercymobilecanning.com

sanjuanalfuturo.online

Signatures

Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
sample	formbook

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JaffaCakes118_43059e0dd5bace9fdfb6336a6cea8c4b2b9d49d976c4857d04dbe37bb2337162

Files

JaffaCakes118_43059e0dd5bace9fdfb6336a6cea8c4b2b9d49d976c4857d04dbe37bb2337162
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 180KB - Virtual size: 180KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 180KB - Virtual size: 180KB

.text
Size: 180KB - Virtual size: 180KB