formbook | b0cfa1848c7b08eb881e615731493df57963468fa3fb461ebf1468271dd17a14

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-04-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe
Size

406KB
MD5

94abfdf47572a6023f28be8b72f2fb74
SHA1

c05059aa66ebd5eefe06f49e889f178aafebf5a1
SHA256

b0cfa1848c7b08eb881e615731493df57963468fa3fb461ebf1468271dd17a14
SHA512

1344ba9e20adfa83d8c8c6a7cdb3a99538b542b821e63030cd64808b4c899cf32df5326ef8fcb0c37664a7aa4f8fb85a6c3fc19d6f19829c2b808a2beda9e182
SSDEEP

6144:OaDH3SWaWBa6irJ741J9DxKVi51hX9IYQEKVy6HsPDRr6K8kqP6bLn:HDHi6a6irJS9DxKVI9YHMUKK6

Score

10^/10

formbook jy0b rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy0b

Decoy

lamejorimagen.com

mykabukibrush.com

modgon.com

barefoottherapeutics.com

shimpeg.net

trade-sniper.com

chiangkhancityhotel.com

joblessmoni.club

stespritsubways.com

chico-group.com

nni8.xyz

searchtypically.online

jobsyork.com

bestsales-crypto.com

iqmarketing.info

bullcityphotobooths.com

fwssc.icu

1oc87s.icu

usdiesel.xyz

secrets2optimumnutrition.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2496-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe

description	pid	process	target process
PID 2468 set thread context of 2496	2468	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe

pid process

2496 94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe

pid	process
2496	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe

description	pid	process	target process
PID 2468 wrote to memory of 2496	2468	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe
PID 2468 wrote to memory of 2496	2468	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe
PID 2468 wrote to memory of 2496	2468	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe
PID 2468 wrote to memory of 2496	2468	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe
PID 2468 wrote to memory of 2496	2468	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe
PID 2468 wrote to memory of 2496	2468	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe
PID 2468 wrote to memory of 2496	2468	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe	94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94abfdf47572a6023f28be8b72f2fb74_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2496

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-6-0x0000000005BA0000-0x0000000005BF8000-memory.dmp

Filesize
352KB

Download
memory/2468-1-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2468-2-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/2468-3-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/2468-4-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2468-5-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/2468-0-0x00000000013C0000-0x000000000142C000-memory.dmp

Filesize
432KB

Download
memory/2468-12-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2496-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2496-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-13-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads