formbook | f5fa18d39f0b842d6a142a8c6da920bc494e880b5909b196fa68e7e6ffe4604c

Analysis

max time kernel
91s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe
Size

355KB
MD5

4372c18fbe734ef31fffe8fbde52adda
SHA1

4b65e3ea741ba115088ffd0915e7f1963c4d91bc
SHA256

f5fa18d39f0b842d6a142a8c6da920bc494e880b5909b196fa68e7e6ffe4604c
SHA512

f906dfc4ae493b57c974770b1f2dc9d00a1c8a69e1e1eb625ef5eecc67fb385b1b68d4d0547d2aa6a195b4a6a4348a3919338d41511e9f83e9b243fd14e182d9
SSDEEP

6144:l9m82gw6NuqWzgETzScJHGfX80mzZPN/Wbt/jOXTTwhA4rdr:XKSuqWqcJmf8FxhWFjOXvkr

Score

10^/10

formbook zgrat po agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

toptravelbox.com

564manbetx.com

rainmakerfreedom.com

caobi954.com

vananhhandmade.com

reisengeniessen.net

milan000.com

opebet181.com

betshoppersparadise.com

zersenengineering.com

www4021166.com

itgifbhfhfg.online

wagertoken.com

casinomansions.net

gabiethiagomendes.com

com-services-secure-id.info

workdigitalmarketing.com

housesforcashpros.link

redsealdigital.com

hj1986.com

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3744-6-0x0000000007080000-0x00000000070AC000-memory.dmp	family_zgrat_v1

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2056-11-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3744-6-0x0000000007080000-0x00000000070AC000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3744 set thread context of 2056	3744	4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe

pid	Process
2056	4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe
2056	4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	3744	4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3744 wrote to memory of 2056	3744	4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe	90
PID 3744 wrote to memory of 2056	3744	4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe	90
PID 3744 wrote to memory of 2056	3744	4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe	90
PID 3744 wrote to memory of 2056	3744	4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe	90
PID 3744 wrote to memory of 2056	3744	4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe	90
PID 3744 wrote to memory of 2056	3744	4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2056-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2056-14-0x0000000001AC0000-0x0000000001E0A000-memory.dmp

Filesize
3.3MB

Download
memory/3744-6-0x0000000007080000-0x00000000070AC000-memory.dmp

Filesize
176KB

Download
memory/3744-3-0x0000000007600000-0x0000000007BA4000-memory.dmp

Filesize
5.6MB

Download
memory/3744-4-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/3744-5-0x0000000007100000-0x0000000007192000-memory.dmp

Filesize
584KB

Download
memory/3744-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/3744-7-0x00000000045D0000-0x00000000045DA000-memory.dmp

Filesize
40KB

Download
memory/3744-8-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/3744-9-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/3744-10-0x0000000007520000-0x00000000075BC000-memory.dmp

Filesize
624KB

Download
memory/3744-2-0x0000000004BE0000-0x0000000004C40000-memory.dmp

Filesize
384KB

Download
memory/3744-13-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/3744-1-0x0000000000120000-0x0000000000182000-memory.dmp

Filesize
392KB

Download