formbook | a84082ae91276ae65520f597253a8b7c1d0756bd0818ba4f50a986b716fa356a

General

Target

3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
Size

440KB
MD5

3e6cb6a5af5ecb01dbd56fe6c33a22ea
SHA1

e3404f90c9e5599d32707ea9ec2cf28b425ca09d
SHA256

a84082ae91276ae65520f597253a8b7c1d0756bd0818ba4f50a986b716fa356a
SHA512

2a2b8eb22b46fb3e527cf0ac73d419da4d45f09f15e8b74b3d0a5b7640e7a26da8bb1b409984975c40d6a0936b4bb11ad0aef510c6b4ccc2f40ba6938f25659b
SSDEEP

6144:4Ik+g+ykKrPe+SNbvEMdJJ+iYieQi2COv8XmTjkLm8nfsxF7wjimU9:4P9BDSNb9+iYZQD82vkLnfOOim

Score

10^/10

formbook zgrat h318 agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

h318

Decoy

peertopeerleasing.com

asiatrianda.com

kingcredit2015.com

louzanabayas.info

winstoncabinets.com

6thcenter.com

bidrooom.com

artanova-horst.com

sssav13131.com

gurunanak.site

dondizitextile.com

srooapc.com

brandolphia.com

guild9gaming.com

opusalloysshireinquiry.com

ivsicongress2019.info

botgiatzeo.com

2sstoreusa.com

smkinc.net

ebook-discount.com

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1660-2-0x0000000000570000-0x0000000000598000-memory.dmp	family_zgrat_v1

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3048-10-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1660-2-0x0000000000570000-0x0000000000598000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe

description	pid	process	target process
PID 1660 set thread context of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2604 3048 WerFault.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1660 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe

pid	pid_target	process	target process
2604	3048	WerFault.exe	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe

description	pid	process	target process
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
PID 3048 wrote to memory of 2604	3048	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	WerFault.exe
PID 3048 wrote to memory of 2604	3048	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	WerFault.exe
PID 3048 wrote to memory of 2604	3048	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	WerFault.exe
PID 3048 wrote to memory of 2604	3048	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 36
3⤵
- Program crash
PID:2604

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

Filesize
4KB

Download
memory/1660-1-0x0000000001390000-0x0000000001404000-memory.dmp

Filesize
464KB

Download
memory/1660-2-0x0000000000570000-0x0000000000598000-memory.dmp

Filesize
160KB

Download
memory/1660-3-0x0000000074A20000-0x000000007510E000-memory.dmp

Filesize
6.9MB

Download
memory/1660-4-0x0000000074A20000-0x000000007510E000-memory.dmp

Filesize
6.9MB

Download
memory/1660-11-0x0000000074A20000-0x000000007510E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3048-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3048-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3048-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads