formbook | 3334766a549149bb18921ea6d05343412c99d36b57e3993b7610dfe689f5f194

Analysis

max time kernel
94s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebee31991b156db114ab560139198d8f_JaffaCakes118.exe
Size

791KB
MD5

ebee31991b156db114ab560139198d8f
SHA1

59326bdcd208d288adbe67690e1dbeec0da26722
SHA256

3334766a549149bb18921ea6d05343412c99d36b57e3993b7610dfe689f5f194
SHA512

c2cb8649d644b394437a76fc34ef6fbda2a020fb565a0f457e2df41d5dec1c6bba26eaefd25d78c82964d43320a393b40728037672d14bd236893043b180744d
SSDEEP

12288:eBfMjmtiNSmyDmJomIyx8OyHpBvygTUxiGwD0Pu0sIPWfZ4OU8IqxucBLC9J:eBtnpBvygA8LUHFr0O9J

Score

10^/10

formbook glgd agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

glgd

Decoy

cdcbullies.com

qidajixie.com

bgimlv.com

sunflowerhybrid.com

kemal.cloud

canadadirect.net

mickey2nd.com

fastjobssearcher.com

tiny-tobi.com

inmedixequus.com

coollifeideas.com

triadelectronicsupply.com

lambyo.com

zxyoo.com

spokanemusicmag.com

sortporn.com

deadroomnyc.com

313mail.com

hexiptv.net

stanbiccargo-express.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2404-14-0x0000000000340000-0x000000000036E000-memory.dmp	formbook

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/1900-7-0x0000000005BA0000-0x0000000005BC8000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

ebee31991b156db114ab560139198d8f_JaffaCakes118.exe

description	pid	process	target process
PID 1900 set thread context of 2404	1900	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3096 2404 WerFault.exe ebee31991b156db114ab560139198d8f_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ebee31991b156db114ab560139198d8f_JaffaCakes118.exe

pid process

1900 ebee31991b156db114ab560139198d8f_JaffaCakes118.exe
1900 ebee31991b156db114ab560139198d8f_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ebee31991b156db114ab560139198d8f_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1900 ebee31991b156db114ab560139198d8f_JaffaCakes118.exe

pid	pid_target	process	target process
3096	2404	WerFault.exe	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe

pid	process
1900	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe
1900	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1900	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ebee31991b156db114ab560139198d8f_JaffaCakes118.exe

description	pid	process	target process
PID 1900 wrote to memory of 2404	1900	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe
PID 1900 wrote to memory of 2404	1900	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe
PID 1900 wrote to memory of 2404	1900	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe
PID 1900 wrote to memory of 2404	1900	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe
PID 1900 wrote to memory of 2404	1900	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe
PID 1900 wrote to memory of 2404	1900	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe	ebee31991b156db114ab560139198d8f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ebee31991b156db114ab560139198d8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebee31991b156db114ab560139198d8f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\ebee31991b156db114ab560139198d8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebee31991b156db114ab560139198d8f_JaffaCakes118.exe"
2⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 184
3⤵
- Program crash
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2404 -ip 2404
1⤵
PID:2760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-6-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/1900-8-0x0000000007170000-0x00000000071D6000-memory.dmp

Filesize
408KB

Download
memory/1900-2-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/1900-3-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/1900-4-0x0000000005620000-0x0000000005974000-memory.dmp

Filesize
3.3MB

Download
memory/1900-5-0x0000000005A80000-0x0000000005B1C000-memory.dmp

Filesize
624KB

Download
memory/1900-1-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1900-7-0x0000000005BA0000-0x0000000005BC8000-memory.dmp

Filesize
160KB

Download
memory/1900-0-0x0000000000AE0000-0x0000000000BAC000-memory.dmp

Filesize
816KB

Download
memory/1900-9-0x0000000007130000-0x0000000007152000-memory.dmp

Filesize
136KB

Download
memory/1900-10-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/1900-11-0x00000000078D0000-0x00000000078E4000-memory.dmp

Filesize
80KB

Download
memory/1900-12-0x0000000009F10000-0x0000000009F16000-memory.dmp

Filesize
24KB

Download
memory/1900-17-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/2404-14-0x0000000000340000-0x000000000036E000-memory.dmp

Filesize
184KB

Download