formbook | fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
Size

867KB
MD5

86f59231b4d4b92d9d41a16a142380fe
SHA1

3bbadc59af1d5358c0565eadc51ce777d47a0dda
SHA256

fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf
SHA512

1b98f0c970819f7a1f5fb2b8566b4b0c0abb126b747f092f90587189f345a5d3672446b1e762752c3ffcdd0b2f92f28bcb2538e8e14af5abd2b5013a1a0bcaff
SSDEEP

12288:gU6HguXUVUAfIOsgKwDV+nm5vc19ApsWSyO7rbdTrcL/SIIcM8zh:EgzQwB8mhMtV5g8z8zh

Score

10^/10

formbook g11y rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g11y

Decoy

dianedaily.com

grabius.fun

aboodivesakaran.com

ttasum.site

softlytictechpro.com

charlenenicholls.com

money254.info

saleanycoin.com

zhlnas.top

bushelandabean.com

ggaperformance.com

rm168vip.life

getconsol.com

empower-excellence.com

pompgarden.com

spartanburghistorytour.com

thewrkrbees.com

baoslot-adm.com

bizchatgpt777.com

testdomenkinogid-new-1.buzz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/632-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

description	pid	process	target process
PID 1792 set thread context of 632	1792	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

pid	process
632	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
632	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

description	pid	process	target process
PID 1792 wrote to memory of 632	1792	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1792 wrote to memory of 632	1792	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1792 wrote to memory of 632	1792	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1792 wrote to memory of 632	1792	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1792 wrote to memory of 632	1792	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1792 wrote to memory of 632	1792	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/632-15-0x0000000001000000-0x000000000134A000-memory.dmp

Filesize
3.3MB

Download
memory/632-14-0x0000000001000000-0x000000000134A000-memory.dmp

Filesize
3.3MB

Download
memory/1792-6-0x0000000005080000-0x0000000005094000-memory.dmp

Filesize
80KB

Download
memory/1792-4-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/1792-5-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

Filesize
40KB

Download
memory/1792-1-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1792-7-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/1792-8-0x00000000050C0000-0x00000000050CE000-memory.dmp

Filesize
56KB

Download
memory/1792-9-0x00000000060A0000-0x0000000006120000-memory.dmp

Filesize
512KB

Download
memory/1792-10-0x0000000008830000-0x00000000088CC000-memory.dmp

Filesize
624KB

Download
memory/1792-3-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/1792-13-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1792-2-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/1792-0-0x0000000000310000-0x00000000003EE000-memory.dmp

Filesize
888KB

Download