formbook | d5c67af1346fed0b4ef7106cdca4ed27c8a574bd0b4e01258d56eec76a8e2968

General

Target

1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe
Size

595KB
MD5

1f112904748a1369e6fe50dee8b00756
SHA1

00c42823f74ddf87db776d746eee3e5fd4f33b5e
SHA256

d5c67af1346fed0b4ef7106cdca4ed27c8a574bd0b4e01258d56eec76a8e2968
SHA512

5615882042bbd73bb85d763d23533027e9898d2b4c44965ec20f81f3f8404179701f283747887bccdcea0ee6165e98765159a7bbe779d6a283acc90a8c3bfc5c
SSDEEP

6144:u71StmT+sbAyX58ZPCVuif1StmT+sbAyX58ZPCVuiK4itpOc0FDBK1OKPiOM8zI9:C8yIy581Qv8yIy581Q64MZKwOK6v5k

Score

10^/10

formbook zgrat yo agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

yo

Decoy

creditformula.net

marketingwo.com

xn--w9q221mxha.com

mandanudes.com

dignity.exchange

outdooreveryday.com

legalandmedicaltranslations.com

grassrootsheals.com

voranado.com

thedayofficial.com

xn--6cs32cp56d.com

paketwisata.info

2b.church

konzerthausmuc.com

analytics-scanner.com

bodyperceptiontreatment.com

katyastan.com

ldede.win

eqy7g0.win

ewyurija.win

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2416-2-0x0000000000450000-0x0000000000478000-memory.dmp	family_zgrat_v1

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2676-12-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2416-2-0x0000000000450000-0x0000000000478000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe

description	pid	process	target process
PID 2416 set thread context of 2676	2416	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe

pid process

2676 1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2416 1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe

pid	process
2676	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2416	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe

description	pid	process	target process
PID 2416 wrote to memory of 2676	2416	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe
PID 2416 wrote to memory of 2676	2416	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe
PID 2416 wrote to memory of 2676	2416	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe
PID 2416 wrote to memory of 2676	2416	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe
PID 2416 wrote to memory of 2676	2416	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe
PID 2416 wrote to memory of 2676	2416	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe
PID 2416 wrote to memory of 2676	2416	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe	1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f112904748a1369e6fe50dee8b00756_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-6-0x0000000074BB0000-0x000000007529E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

Filesize
4KB

Download
memory/2416-2-0x0000000000450000-0x0000000000478000-memory.dmp

Filesize
160KB

Download
memory/2416-3-0x0000000074BB0000-0x000000007529E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-4-0x0000000074BB0000-0x000000007529E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-5-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x0000000000AF0000-0x0000000000B8C000-memory.dmp

Filesize
624KB

Download
memory/2416-7-0x0000000074BB0000-0x000000007529E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-13-0x0000000074BB0000-0x000000007529E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2676-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2676-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2676-14-0x0000000000B90000-0x0000000000E93000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads