formbook | JaffaCakes118_1e1c3e81871aa971c27e43199a2c020fa7f7f5727e2ef88a041c0a81038af471

General

Target

JaffaCakes118_1e1c3e81871aa971c27e43199a2c020fa7f7f5727e2ef88a041c0a81038af471
Size

133KB
MD5

aa32f8ac86db63b3e4425d3a2e3e1859
SHA1

f4ab20af16e922cc472f64569efdb3dd573863a9
SHA256

1e1c3e81871aa971c27e43199a2c020fa7f7f5727e2ef88a041c0a81038af471
SHA512

3ee95c09ec1b8f2e5f1429aeeb4374a60ad3897db59273d0869763136ff121f396dcca874d51ff76026f4db7224d604e1a87895377f8212374500df9f600941d
SSDEEP

3072:I1xYOPCKy60HGgUdACbdcZOT+e6f7fihQTZORqKS/Wl:IbfPCKyrGgUdACbmkTzq7VcUFG

Score

10^/10

rat ht6 formbook

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ht6

Decoy

sjmurphyconsulting.com

trumpshandsoffmybox.com

jiazhoulighting.net

gpssee.net

wanhit.com

serioushaulersltd.com

servbizz.com

livinginroanokeva.com

inttech.site

mirokublog.net

hexagonner.com

advokat-ternopil.com

gtybs.com

pothosautomation.com

keralaspicesbuyonline.com

zzbys.com

ridingthepct.net

16helix.com

basstardbaits.com

windsride.com

Signatures

Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
static1/unpack001/encodedbinary.exe	formbook

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/encodedbinary.exe

Files

JaffaCakes118_1e1c3e81871aa971c27e43199a2c020fa7f7f5727e2ef88a041c0a81038af471
.zip

Password: infected
encodedbinary.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 177KB - Virtual size: 176KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 177KB - Virtual size: 176KB

.text
Size: 177KB - Virtual size: 176KB