formbook | b8cc9e2b1509abfb88b4b570456839e5c00a7ffa52da7ef3333eef7d7b00922c

General

Target

2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe
Size

599KB
MD5

2171d7a11c215bdd470fcd398c776b6d
SHA1

5e87f0159bd179e69d935f1fcbc29c17bb72cea7
SHA256

b8cc9e2b1509abfb88b4b570456839e5c00a7ffa52da7ef3333eef7d7b00922c
SHA512

ce7baa4240d9a4fd9b89019739d369276d4b5ada3bd831147fe20a95ae2263b71c5e824d54af0f17df5c44edb6501058e79490e52e3a759e1b3b8f42beb8fe8b
SSDEEP

12288:rosspP5Lzf8osspP5LzfdxrEjf3kEHjyaQ4:opP5LTLpP5LTDA1uaQ4

Score

10^/10

formbook h35 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

h35

Decoy

maraudersinc.com

liebianwangluo.com

visit-australia.info

machiyane-kasukabe.com

hafizclub.com

merkburn.net

favoritetraffic2updating.win

adrian-oeser.net

nkshopdomaincpplt234.info

imperiodofutebol.com

welometocaloundra.com

thehealthypose.com

squalloptna.com

bobknowsbest.com

damgproperties.com

wastemastershire.co.uk

swacballet.com

japanbreakingnews.com

bjufaa.info

aryakuza.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3036-6-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/3036-11-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exeRegAsm.exerundll32.exe

description	pid	process	target process
PID 2964 set thread context of 3036	2964	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	RegAsm.exe
PID 3036 set thread context of 1124	3036	RegAsm.exe	Explorer.EXE
PID 2424 set thread context of 1124	2424	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

RegAsm.exerundll32.exe

pid	process
3036	RegAsm.exe
3036	RegAsm.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegAsm.exerundll32.exe

pid process

3036 RegAsm.exe
3036 RegAsm.exe
3036 RegAsm.exe
2424 rundll32.exe
2424 rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exeRegAsm.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	2964	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe
Token: SeDebugPrivilege	3036	RegAsm.exe
Token: SeDebugPrivilege	2424	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 2964 wrote to memory of 3036	2964	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	RegAsm.exe
PID 2964 wrote to memory of 3036	2964	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	RegAsm.exe
PID 2964 wrote to memory of 3036	2964	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	RegAsm.exe
PID 2964 wrote to memory of 3036	2964	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	RegAsm.exe
PID 2964 wrote to memory of 3036	2964	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	RegAsm.exe
PID 2964 wrote to memory of 3036	2964	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	RegAsm.exe
PID 2964 wrote to memory of 3036	2964	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	RegAsm.exe
PID 2964 wrote to memory of 3036	2964	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	RegAsm.exe
PID 2964 wrote to memory of 3036	2964	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	RegAsm.exe
PID 2964 wrote to memory of 3036	2964	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	RegAsm.exe
PID 1124 wrote to memory of 2424	1124	Explorer.EXE	rundll32.exe
PID 1124 wrote to memory of 2424	1124	Explorer.EXE	rundll32.exe
PID 1124 wrote to memory of 2424	1124	Explorer.EXE	rundll32.exe
PID 1124 wrote to memory of 2424	1124	Explorer.EXE	rundll32.exe
PID 1124 wrote to memory of 2424	1124	Explorer.EXE	rundll32.exe
PID 1124 wrote to memory of 2424	1124	Explorer.EXE	rundll32.exe
PID 1124 wrote to memory of 2424	1124	Explorer.EXE	rundll32.exe
PID 2424 wrote to memory of 2092	2424	rundll32.exe	cmd.exe
PID 2424 wrote to memory of 2092	2424	rundll32.exe	cmd.exe
PID 2424 wrote to memory of 2092	2424	rundll32.exe	cmd.exe
PID 2424 wrote to memory of 2092	2424	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2092

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1124-10-0x0000000002EE0000-0x0000000002FE0000-memory.dmp

Filesize
1024KB

Download
memory/1124-20-0x00000000044A0000-0x0000000004599000-memory.dmp

Filesize
996KB

Download
memory/1124-13-0x00000000044A0000-0x0000000004599000-memory.dmp

Filesize
996KB

Download
memory/2424-15-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/2424-17-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/2424-14-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/2964-1-0x00000000013C0000-0x000000000145C000-memory.dmp

Filesize
624KB

Download
memory/2964-2-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/2964-3-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2964-4-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2964-5-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2964-7-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2964-0-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/3036-8-0x00000000024F0000-0x00000000027F3000-memory.dmp

Filesize
3.0MB

Download
memory/3036-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3036-12-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/3036-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads