formbook | c4edf97ee108849df46eadbc7984bf178d0da690d9825adc7b7cdac465d12605

Analysis

max time kernel
114s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe
Size

557KB
MD5

d7f1300dd4f56d7b8e698e94af817056
SHA1

f4ab31d7ec432ed0f1cd662b7cb9e656a7fe62c0
SHA256

c4edf97ee108849df46eadbc7984bf178d0da690d9825adc7b7cdac465d12605
SHA512

6d76f4b0e4e45dc090d096f8e3d215a2575f67fef014d7c7cbcc4b38f1c9723bc5d9031658d8a86e16a3dd40f65f289915740a23ea6a1e06818ef41e38f55a84
SSDEEP

12288:2lOvlE/GWSj7ZG17YKdSH4T8gvVaXjSOv/pr0cY/n0unU:2Uvldj7ARjdvBeVn15Sn0r

Score

10^/10

formbook jw9u rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jw9u

Decoy

myhvacdeal.com

therizks2022.com

belondo.com

selflovewithallie.com

fkdosdz3.xyz

2commacluboffers.com

beyazyakaetkinlik.com

5sensesbranding.com

clesioalves.com

home2.xyz

talulaboutique.com

marketing-republic.com

mappilog.com

n1a.site

berlinspecials.com

iphone13.media

healthrapidlab.com

outdoorteakgarden.com

i0bqd8ny.xyz

chairzon.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4584-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 4584	4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe	102

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe
4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe
4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe
4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe
4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe
4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe
4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe
4584	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe
4584	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe
4584	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4584	4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe	102
PID 4508 wrote to memory of 4584	4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe	102
PID 4508 wrote to memory of 4584	4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe	102
PID 4508 wrote to memory of 4584	4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe	102
PID 4508 wrote to memory of 4584	4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe	102
PID 4508 wrote to memory of 4584	4508	d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe	102

C:\Users\Admin\AppData\Local\Temp\d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Local\Temp\d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d7f1300dd4f56d7b8e698e94af817056_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:8
1⤵
PID:4168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4508-6-0x00000000051B0000-0x00000000051CC000-memory.dmp

Filesize
112KB

Download
memory/4508-10-0x0000000007CD0000-0x0000000007D6C000-memory.dmp

Filesize
624KB

Download
memory/4508-2-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/4508-3-0x0000000004F70000-0x0000000005002000-memory.dmp

Filesize
584KB

Download
memory/4508-4-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4508-5-0x0000000005160000-0x000000000516A000-memory.dmp

Filesize
40KB

Download
memory/4508-1-0x0000000000540000-0x00000000005D2000-memory.dmp

Filesize
584KB

Download
memory/4508-8-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4508-0-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4508-9-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4508-7-0x0000000005380000-0x0000000005398000-memory.dmp

Filesize
96KB

Download
memory/4508-11-0x0000000007E10000-0x0000000007E7E000-memory.dmp

Filesize
440KB

Download
memory/4508-14-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4584-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-15-0x0000000001590000-0x00000000018DA000-memory.dmp

Filesize
3.3MB

Download