formbook | 535d92c4a194c64723fdf9b7279f033085c0861d93b9f43747320759fd172afc

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 12:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

108156ae3609706003c6cefd6335c554_JaffaCakes118.exe
Size

368KB
MD5

108156ae3609706003c6cefd6335c554
SHA1

9ad9e65ee4407162beb14eb33859ffc77451e7fb
SHA256

535d92c4a194c64723fdf9b7279f033085c0861d93b9f43747320759fd172afc
SHA512

72ec03a163d291c9fc8e73689e63e0b55aa78d2c97e83b2187d581592d09a7ab361004ce72ee9a8792dee6c36a4a6ffda80391106afc2a1e7733653f813b247f
SSDEEP

3072:aFFyrH+tfkhzjvRYkYjvnNfugsIN23+q7cuZv2kjgyoWOuClDfujpITpVxzApTld:aiHGIRYtvZughqLFeuwi0pVaY

Score

10^/10

formbook jc rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

petfashionvalley.com

sisermexico.com

mycityneighbors.com

trojanerhilfe.com

2012mi.com

bitcoinkeith.com

integracube.com

portalgnu.com

xingcaiyule2.com

saasgroceries.com

groupulljimzasac.com

sscfz.win

microauditoria.com

grandijen.com

beautiebootik.com

trb899.com

autobittrex.com

greeksinbritain.com

flamingouno.com

agencecuivre.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2180-12-0x0000000000400000-0x000000000045F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 2180	2084	108156ae3609706003c6cefd6335c554_JaffaCakes118.exe	28

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	108156ae3609706003c6cefd6335c554_JaffaCakes118.exe
File opened for modification	C:\Windows\win.ini	108156ae3609706003c6cefd6335c554_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2180	108156ae3609706003c6cefd6335c554_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2084	108156ae3609706003c6cefd6335c554_JaffaCakes118.exe
2180	108156ae3609706003c6cefd6335c554_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2180	2084	108156ae3609706003c6cefd6335c554_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2180	2084	108156ae3609706003c6cefd6335c554_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2180	2084	108156ae3609706003c6cefd6335c554_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2180	2084	108156ae3609706003c6cefd6335c554_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\108156ae3609706003c6cefd6335c554_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\108156ae3609706003c6cefd6335c554_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\108156ae3609706003c6cefd6335c554_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\108156ae3609706003c6cefd6335c554_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
memory/2084-3-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2084-4-0x00000000776C1000-0x00000000777C2000-memory.dmp

Filesize
1.0MB

Download
memory/2084-5-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2084-10-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2180-11-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2180-13-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/2180-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download