formbook | a84082ae91276ae65520f597253a8b7c1d0756bd0818ba4f50a986b716fa356a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
Size

440KB
MD5

3e6cb6a5af5ecb01dbd56fe6c33a22ea
SHA1

e3404f90c9e5599d32707ea9ec2cf28b425ca09d
SHA256

a84082ae91276ae65520f597253a8b7c1d0756bd0818ba4f50a986b716fa356a
SHA512

2a2b8eb22b46fb3e527cf0ac73d419da4d45f09f15e8b74b3d0a5b7640e7a26da8bb1b409984975c40d6a0936b4bb11ad0aef510c6b4ccc2f40ba6938f25659b
SSDEEP

6144:4Ik+g+ykKrPe+SNbvEMdJJ+iYieQi2COv8XmTjkLm8nfsxF7wjimU9:4P9BDSNb9+iYZQD82vkLnfOOim

Score

10^/10

formbook zgrat h318 agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

h318

Decoy

peertopeerleasing.com

asiatrianda.com

kingcredit2015.com

louzanabayas.info

winstoncabinets.com

6thcenter.com

bidrooom.com

artanova-horst.com

sssav13131.com

gurunanak.site

dondizitextile.com

srooapc.com

brandolphia.com

guild9gaming.com

opusalloysshireinquiry.com

ivsicongress2019.info

botgiatzeo.com

2sstoreusa.com

smkinc.net

ebook-discount.com

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/1660-2-0x0000000000570000-0x0000000000598000-memory.dmp	family_zgrat_v1

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/3048-10-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1660-2-0x0000000000570000-0x0000000000598000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2604	3048	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	28
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	28
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	28
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	28
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	28
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	28
PID 1660 wrote to memory of 3048	1660	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	28
PID 3048 wrote to memory of 2604	3048	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2604	3048	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2604	3048	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2604	3048	3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 36
    3⤵
    - Program crash
    PID:2604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

Filesize
4KB

Download
memory/1660-1-0x0000000001390000-0x0000000001404000-memory.dmp

Filesize
464KB

Download
memory/1660-2-0x0000000000570000-0x0000000000598000-memory.dmp

Filesize
160KB

Download
memory/1660-3-0x0000000074A20000-0x000000007510E000-memory.dmp

Filesize
6.9MB

Download
memory/1660-4-0x0000000074A20000-0x000000007510E000-memory.dmp

Filesize
6.9MB

Download
memory/1660-11-0x0000000074A20000-0x000000007510E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3048-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3048-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3048-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download