formbook | b8cc9e2b1509abfb88b4b570456839e5c00a7ffa52da7ef3333eef7d7b00922c

Analysis

max time kernel
136s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe
Size

599KB
MD5

2171d7a11c215bdd470fcd398c776b6d
SHA1

5e87f0159bd179e69d935f1fcbc29c17bb72cea7
SHA256

b8cc9e2b1509abfb88b4b570456839e5c00a7ffa52da7ef3333eef7d7b00922c
SHA512

ce7baa4240d9a4fd9b89019739d369276d4b5ada3bd831147fe20a95ae2263b71c5e824d54af0f17df5c44edb6501058e79490e52e3a759e1b3b8f42beb8fe8b
SSDEEP

12288:rosspP5Lzf8osspP5LzfdxrEjf3kEHjyaQ4:opP5LTLpP5LTDA1uaQ4

Score

10^/10

formbook h35 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

h35

Decoy

maraudersinc.com

liebianwangluo.com

visit-australia.info

machiyane-kasukabe.com

hafizclub.com

merkburn.net

favoritetraffic2updating.win

adrian-oeser.net

nkshopdomaincpplt234.info

imperiodofutebol.com

welometocaloundra.com

thehealthypose.com

squalloptna.com

bobknowsbest.com

damgproperties.com

wastemastershire.co.uk

swacballet.com

japanbreakingnews.com

bjufaa.info

aryakuza.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4564-9-0x00000000005C0000-0x00000000005EA000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3500 set thread context of 4564	3500	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1128	4564	WerFault.exe	92

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3500	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4564	3500	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	92
PID 3500 wrote to memory of 4564	3500	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	92
PID 3500 wrote to memory of 4564	3500	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	92
PID 3500 wrote to memory of 4564	3500	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	92
PID 3500 wrote to memory of 4564	3500	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	92
PID 3500 wrote to memory of 4564	3500	2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2171d7a11c215bdd470fcd398c776b6d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 540
    3⤵
    - Program crash
    PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4564 -ip 4564
1⤵
PID:4480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3500-0-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/3500-1-0x0000000000CD0000-0x0000000000D6C000-memory.dmp

Filesize
624KB

Download
memory/3500-2-0x00000000056B0000-0x00000000056D0000-memory.dmp

Filesize
128KB

Download
memory/3500-3-0x0000000003000000-0x0000000003006000-memory.dmp

Filesize
24KB

Download
memory/3500-4-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/3500-5-0x0000000008150000-0x00000000086F4000-memory.dmp

Filesize
5.6MB

Download
memory/3500-6-0x0000000007CA0000-0x0000000007D32000-memory.dmp

Filesize
584KB

Download
memory/3500-7-0x0000000008080000-0x000000000811C000-memory.dmp

Filesize
624KB

Download
memory/3500-12-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/4564-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4564-9-0x00000000005C0000-0x00000000005EA000-memory.dmp

Filesize
168KB

Download