formbook | a409bcf88a07c401c4f6f11be261c80b47c2e5ae29338c7ad5de509ff1eefbd8

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe
Size

223KB
MD5

3d7030426830af1ce3e9e06412954688
SHA1

a664885f5f911b3add94b379c7caa8729ca253d0
SHA256

a409bcf88a07c401c4f6f11be261c80b47c2e5ae29338c7ad5de509ff1eefbd8
SHA512

9506362a98b64e17d9b8d00347821933e7711fff12cb4d2d5b79041fba58f10551db9f1c9088d8cd051170fcfb6f5de9631c0aa5a76ff5a15c0c3aaab8e782d8
SSDEEP

6144:UDk3eLcIxMtD67ASSK9xIQF+0jBbFy/Mni+iNHBrCaHl5:x3efMZ6cY9mZuBbFpn1iNHdH

Score

10^/10

formbook go persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

florimstone.ltd

cristianspataru.com

allavolontahk.com

theartensembleofchicago.com

caixk.com

themirrorprogram.com

app-santa.com

shamelesssoaps.com

adamsgaragedoorservice.com

modelweekpittsburgh.com

xaoz168.com

aquariumcozumel.com

lightpictureriver.com

uhvum.info

chunail.com

soportetecno.com

airfoilone.info

almaguinscientific.com

kupian.net

periovancedental.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2768-28-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/4412-22-0x0000000005970000-0x000000000599A000-memory.dmp	formbook
behavioral2/memory/2768-31-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NETSTAT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZJ_LKLKX8F = "C:\\Program Files (x86)\\B9rd0cv_\\msaji0r.exe"	NETSTAT.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4412 set thread context of 2768	4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe	90
PID 2768 set thread context of 3436	2768	vbc.exe	56
PID 2768 set thread context of 3436	2768	vbc.exe	56
PID 1992 set thread context of 3436	1992	NETSTAT.EXE	56

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\B9rd0cv_\msaji0r.exe	NETSTAT.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1992	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe
4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe
2768	vbc.exe
2768	vbc.exe
2768	vbc.exe
2768	vbc.exe
2768	vbc.exe
2768	vbc.exe
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2768	vbc.exe
2768	vbc.exe
2768	vbc.exe
2768	vbc.exe
1992	NETSTAT.EXE
1992	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe
Token: SeDebugPrivilege	2768	vbc.exe
Token: SeDebugPrivilege	1992	NETSTAT.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3436	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 392	4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe	85
PID 4412 wrote to memory of 392	4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe	85
PID 4412 wrote to memory of 392	4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe	85
PID 392 wrote to memory of 2264	392	csc.exe	88
PID 392 wrote to memory of 2264	392	csc.exe	88
PID 392 wrote to memory of 2264	392	csc.exe	88
PID 4412 wrote to memory of 2768	4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe	90
PID 4412 wrote to memory of 2768	4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe	90
PID 4412 wrote to memory of 2768	4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe	90
PID 4412 wrote to memory of 2768	4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe	90
PID 4412 wrote to memory of 2768	4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe	90
PID 4412 wrote to memory of 2768	4412	3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe	90
PID 2768 wrote to memory of 1992	2768	vbc.exe	101
PID 2768 wrote to memory of 1992	2768	vbc.exe	101
PID 2768 wrote to memory of 1992	2768	vbc.exe	101
PID 1992 wrote to memory of 2684	1992	NETSTAT.EXE	102
PID 1992 wrote to memory of 2684	1992	NETSTAT.EXE	102
PID 1992 wrote to memory of 2684	1992	NETSTAT.EXE	102
PID 1992 wrote to memory of 3972	1992	NETSTAT.EXE	107
PID 1992 wrote to memory of 3972	1992	NETSTAT.EXE	107
PID 1992 wrote to memory of 3972	1992	NETSTAT.EXE	107

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3436
- C:\Users\Admin\AppData\Local\Temp\3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3d7030426830af1ce3e9e06412954688_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvifggsk\bvifggsk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F6A.tmp" "c:\Users\Admin\AppData\Local\Temp\bvifggsk\CSC2BBD01A6966A4E07AC6C34BBFB565CE.TMP"
      4⤵
      PID:2264
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      4⤵
      Adds policy Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Gathers network information
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        5⤵
        
        PID:3972
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3F6A.tmp

Filesize
1KB

MD5
5bd286ad16ddea2501d052aa25f6bbfd

SHA1
010db9116918f059df75b5b6328261bac79d2f81

SHA256
56d56d92aefa85aa3eb7b52e712f29bd21f14d6f059c83dbfbc81cf6c7cfdcd8

SHA512
0a3ba55ca473043f41e95927e222e3b83879b73b2ee4d377ff1f8ba47a20ccf2209283af1ab2dc7863534e16f0aa5eda053ff21bd7fc1ae6116505e20375bd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvifggsk\bvifggsk.dll

Filesize
9KB

MD5
c7c2406c2c9a8d1d1f1c73747ab9fb48

SHA1
c7d757530e35a0bf40a9278361db58efffb80d41

SHA256
2cb3234a19bb2ab12a98f9d84d6c694b9b22fbdbbb889ccf6e061a3970161e13

SHA512
15bf667ab22d8b5247c8dff57352addc29b423712a0dcb70b65d737d198d741ba0946605e2ad59b5674e13623bec86fc7fd175d5e6bdb813f562149d6727df6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvifggsk\bvifggsk.pdb

Filesize
29KB

MD5
08f30d023366759a25594449254afadb

SHA1
870130508c3f1cfebdc63f82ce487c9aa8f90a85

SHA256
9ce2742d06ea920a26224ad2765d5456655f12d6c0a70a48865fb791c6073770

SHA512
c31782b27790a15584e59d1e55d30b58c76651f30011d121db311d2224ce114ece0fc6174ebe8da196222e9a370ea169618322ca1d66161de000813a612bbd51

Download Submit
C:\Users\Admin\AppData\Roaming\3P1-RPVE\3P1logim.jpeg

Filesize
77KB

MD5
0f5ac76732a94499fb7ada8ab312a685

SHA1
3e56c32c243698542a7604c25bdb3a029edf3f02

SHA256
a9e19e06137876a540fee452daec3e364b66c19e7ad8f4a25184415211714bb6

SHA512
a690f8f7ee31494b5e400da567e555b1779ba19166ae6d9f89784f53492ce311fa3da64f85352f407f56084c81ab4f0700343937aaf5444d338acafe70058b19

Download Submit
C:\Users\Admin\AppData\Roaming\3P1-RPVE\3P1logrg.ini

Filesize
38B

MD5
4aadf49fed30e4c9b3fe4a3dd6445ebe

SHA1
1e332822167c6f351b99615eada2c30a538ff037

SHA256
75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

SHA512
eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

Download Submit
C:\Users\Admin\AppData\Roaming\3P1-RPVE\3P1logri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\3P1-RPVE\3P1logrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
C:\Users\Admin\AppData\Roaming\3P1-RPVE\3P1logrv.ini

Filesize
872B

MD5
bbc41c78bae6c71e63cb544a6a284d94

SHA1
33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

SHA256
ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

SHA512
0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bvifggsk\CSC2BBD01A6966A4E07AC6C34BBFB565CE.TMP

Filesize
1KB

MD5
f2f8070ecb69762ab8b41a095d4b7e55

SHA1
83a43810e8d5cef49d8004d80dfe4b821c61bd81

SHA256
c11eaaddb17186a7dcd70266ef5d0a0851b3822eef6dc0d3f4925c67288680d7

SHA512
838db5b67671f5d496b22523f13ec1b0b2e44e0f6c3d320b38559a668c179688155881ec37feb74b244442cec34f9fdde94cc05d6d53dd4648457455ef24f1b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bvifggsk\bvifggsk.0.cs

Filesize
10KB

MD5
e47fdad24b231f8d108b657ef13bd7da

SHA1
1e96959956ae8602c7124eb933d15ea7d5b2f5e9

SHA256
07af294f4449dcfd41ae0a99b0f840b0163d2df2f63fdfc59204a6b5c794b176

SHA512
caa3045d7e74bd9fd43fc2804d3b6f23977f140e4ff91d750b21ea347408823a2338eaab1bc00120d79a88e532a97ae3b898fa3d08c3f97f1107a859988f49c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bvifggsk\bvifggsk.cmdline

Filesize
248B

MD5
ffc3099019287eb5140b4bed256f884a

SHA1
82be1713c5d094492218bf99b9fe8aad120d3460

SHA256
4315f27ad4d2f02333516a0163efbbdbd95592db22d9e4aebc6ece5f3021650c

SHA512
4b78d5552ddba9717ada507bd1ebd76996180294fdf36ec747d57f2489fe8bcd9d3e242741edc54029cfa3a0768b7e03e76413ba3ceb034921f5e160e96eaccc

Download Submit
memory/1992-37-0x0000000000370000-0x000000000037B000-memory.dmp

Filesize
44KB

Download
memory/1992-36-0x0000000000370000-0x000000000037B000-memory.dmp

Filesize
44KB

Download
memory/2768-28-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2768-31-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3436-42-0x0000000007200000-0x00000000072CA000-memory.dmp

Filesize
808KB

Download
memory/3436-43-0x0000000007200000-0x00000000072CA000-memory.dmp

Filesize
808KB

Download
memory/3436-32-0x000000000A790000-0x000000000A92F000-memory.dmp

Filesize
1.6MB

Download
memory/3436-46-0x0000000007200000-0x00000000072CA000-memory.dmp

Filesize
808KB

Download
memory/3436-40-0x000000000A790000-0x000000000A92F000-memory.dmp

Filesize
1.6MB

Download
memory/3436-29-0x0000000008960000-0x0000000008ABD000-memory.dmp

Filesize
1.4MB

Download
memory/3436-38-0x0000000008960000-0x0000000008ABD000-memory.dmp

Filesize
1.4MB

Download
memory/4412-22-0x0000000005970000-0x000000000599A000-memory.dmp

Filesize
168KB

Download
memory/4412-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

Filesize
4KB

Download
memory/4412-17-0x0000000003290000-0x0000000003298000-memory.dmp

Filesize
32KB

Download
memory/4412-20-0x00000000058F0000-0x000000000592A000-memory.dmp

Filesize
232KB

Download
memory/4412-26-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4412-23-0x0000000005F40000-0x0000000005FDC000-memory.dmp

Filesize
624KB

Download
memory/4412-21-0x00000000057D0000-0x00000000057DC000-memory.dmp

Filesize
48KB

Download
memory/4412-19-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/4412-5-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4412-1-0x0000000000DF0000-0x0000000000E2C000-memory.dmp

Filesize
240KB

Download