formbook | 836579ca69ab6a19f5bbda57ab734abb715e0c7d8245ae0a9cb0e1b31b7ef437

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe
Size

1004KB
MD5

f976846b1a85f117ff078d9662931c48
SHA1

b5cdfaba7d6a07225e2081dc4e6fe5265580ab1d
SHA256

836579ca69ab6a19f5bbda57ab734abb715e0c7d8245ae0a9cb0e1b31b7ef437
SHA512

3372999cf4a2aa74af362e48834a016a6851396212770acf625360ce3f05199738f5287701050d3622c66d7fe94671cb85850979639d9d5791c4fc402e4f6e3e
SSDEEP

12288:Dx0lQLjOZdIt7FDaoGR9gLlpNND6PQLxNcE9bwbwUX:lzLjOjG71aog9gGPQLL39Eb

Score

10^/10

formbook gz92 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gz92

Decoy

ayurvedichealthformulas.com

plazaconstrutora.com

nat-hetong.info

eapdigital.com

ibluebaytvwdshop.com

committable.com

escapesbyek.com

mywebdesigner.pro

jianianhong.com

benvenutoqui.com

beiyet.com

theartofgifs.com

mbwvyksnk.icu

nshahwelfare.com

hhhservice.com

thechaibali.com

travelscreen.expert

best123-movies.com

leiahin.com

runplay11.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5056-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe

description	pid	process	target process
PID 4860 set thread context of 5056	4860	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe

pid process

5056 f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe
5056 f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe

pid	process
5056	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe
5056	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe

description	pid	process	target process
PID 4860 wrote to memory of 5056	4860	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe
PID 4860 wrote to memory of 5056	4860	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe
PID 4860 wrote to memory of 5056	4860	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe
PID 4860 wrote to memory of 5056	4860	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe
PID 4860 wrote to memory of 5056	4860	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe
PID 4860 wrote to memory of 5056	4860	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe	f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4860

C:\Users\Admin\AppData\Local\Temp\f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f976846b1a85f117ff078d9662931c48_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4860-6-0x0000000005630000-0x000000000564C000-memory.dmp

Filesize
112KB

Download
memory/4860-8-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4860-2-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/4860-3-0x0000000005400000-0x0000000005492000-memory.dmp

Filesize
584KB

Download
memory/4860-4-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/4860-5-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download
memory/4860-1-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4860-7-0x0000000006820000-0x00000000068BC000-memory.dmp

Filesize
624KB

Download
memory/4860-0-0x00000000009E0000-0x0000000000AE2000-memory.dmp

Filesize
1.0MB

Download
memory/4860-9-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/4860-10-0x00000000082D0000-0x0000000008362000-memory.dmp

Filesize
584KB

Download
memory/4860-11-0x000000000A9D0000-0x000000000AA2C000-memory.dmp

Filesize
368KB

Download
memory/4860-14-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/5056-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5056-15-0x00000000018D0000-0x0000000001C1A000-memory.dmp

Filesize
3.3MB

Download