formbook | 125a3d1084a3f13ca811f5fbecdbade8d6e2b2c5d73a686674c6ff244ec99f68

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe
Size

540KB
MD5

fcc476ac485651017cc49abe9fcdbaeb
SHA1

de84f7ae453f48d18934db6d99072170ec7b1ee4
SHA256

125a3d1084a3f13ca811f5fbecdbade8d6e2b2c5d73a686674c6ff244ec99f68
SHA512

12d3c58c070a5cf8f9e4566693b312bcfb42a155d8767c607d4a91939f6cfff1a88460c2c80b3b12f50707b4fa845740b62973caa667477dc629a70beeae5ead
SSDEEP

6144:u27T6Uqrl8bPWJLWlGwCF1y27MIO3tCRRn846pSBKFi4U73TMW+OJz921AsOjzoC:1SU/b0LtF1XyARP+rFM3T+0rN5dp

Score

10^/10

formbook zd9n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

zd9n

Decoy

statim-transition.com

puregreencircle.com

shoppy-memories.com

name4iching.com

lottieslabel.com

moreatrokkss.com

yeheto.com

coachimprint.com

arthero.xyz

shophairsaints.com

asfcouture.com

5632terraindegolf.com

visiodune.com

tejasfood.com

saanviweaves.com

testtrial.xyz

twerkvideos.xyz

bevelbuilders.com

erbilwater.com

floridaeventsnews.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1960-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe

description	pid	process	target process
PID 3052 set thread context of 1960	3052	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe

pid process

1960 fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe
1960 fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe

pid	process
1960	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe
1960	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe

description	pid	process	target process
PID 3052 wrote to memory of 1960	3052	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe
PID 3052 wrote to memory of 1960	3052	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe
PID 3052 wrote to memory of 1960	3052	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe
PID 3052 wrote to memory of 1960	3052	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe
PID 3052 wrote to memory of 1960	3052	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe
PID 3052 wrote to memory of 1960	3052	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe	fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fcc476ac485651017cc49abe9fcdbaeb_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1960-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-15-0x00000000010B0000-0x00000000013FA000-memory.dmp

Filesize
3.3MB

Download
memory/1960-14-0x00000000010B0000-0x00000000013FA000-memory.dmp

Filesize
3.3MB

Download
memory/3052-6-0x0000000006830000-0x0000000006848000-memory.dmp

Filesize
96KB

Download
memory/3052-4-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/3052-5-0x0000000005600000-0x000000000560A000-memory.dmp

Filesize
40KB

Download
memory/3052-0-0x0000000000BC0000-0x0000000000C4E000-memory.dmp

Filesize
568KB

Download
memory/3052-7-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/3052-8-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/3052-9-0x0000000006FD0000-0x000000000706C000-memory.dmp

Filesize
624KB

Download
memory/3052-10-0x00000000070D0000-0x0000000007128000-memory.dmp

Filesize
352KB

Download
memory/3052-3-0x0000000005660000-0x00000000056F2000-memory.dmp

Filesize
584KB

Download
memory/3052-13-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/3052-2-0x0000000005C10000-0x00000000061B4000-memory.dmp

Filesize
5.6MB

Download
memory/3052-1-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download