formbook | fd37a492eb083eb43dfd53cf28f0a0840e1bab5a68937080d764ea4df9f90945

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe
Size

336KB
MD5

5396b22800da1f1c7528ae67a5fe011d
SHA1

4fdd0248152166f9821e8e447476d595740dae7f
SHA256

fd37a492eb083eb43dfd53cf28f0a0840e1bab5a68937080d764ea4df9f90945
SHA512

31b407d54af8f8966403c79b3fcd251e4c99d26d693d6774564800f862920cea7f9d3e4a68141512b5aab87b170fde6ad06b656151a7937bd816a1c0591fdd4b
SSDEEP

6144:BsKxheSkTu7k0XwWcmoO1HvfvCXRSq40wO8qxtW2HXkZ:BsuheSeuY0glm31/CXT4hgA2HXkZ

Score

10^/10

formbook ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

tirtatv.com

thefinalreviews.com

lakesidesrealtor.net

jilinjijin.com

packfreshcannabis.com

mohammedfakiha.com

oilxl.info

xn--doqu1wc86axnn.com

core-marlk.com

truyenvoz.info

ptamed.com

y31000.com

tredaily.com

jsaswkj.com

xiunan.net

panaceagluta.com

kenanalifd.com

0513gx.com

kpdvk04wr3.biz

riobaretanning.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1820-6-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Drops file in Windows directory 1 IoCs

Processes:

5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\win.ini 5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe

pid process

1820 5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe

pid process

1820 5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe

pid process

1820 5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe

pid	process
1820	5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe

pid	process
1820	5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe

pid	process
1820	5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5396b22800da1f1c7528ae67a5fe011d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:1820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1820-4-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/1820-5-0x0000000003900000-0x0000000003A00000-memory.dmp

Filesize
1024KB

Download
memory/1820-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1820-8-0x0000000076EA0000-0x0000000076F76000-memory.dmp

Filesize
856KB

Download
memory/1820-10-0x0000000072940000-0x0000000072A60000-memory.dmp

Filesize
1.1MB

Download
memory/1820-11-0x000000000BCD0000-0x000000000BFD3000-memory.dmp

Filesize
3.0MB

Download
memory/1820-12-0x000000000BCD0000-0x000000000BFD3000-memory.dmp

Filesize
3.0MB

Download