formbook | 640954d4ebc38cbeb5902ca26620dd8707fcde08afb4a03c58085a3c8f46abc8

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe
Size

229KB
MD5

5ac0c92372850980aa91d04754ece1f1
SHA1

36e35bf4f7e1881a520c03a85ce0a01176313c00
SHA256

640954d4ebc38cbeb5902ca26620dd8707fcde08afb4a03c58085a3c8f46abc8
SHA512

c135a6bc82c4ef9016a7923a308d7b0482ac542b769d52c919e5e57121a3bef5ad49d5361a20d3ee2d8d234bd61dadc9b611a7cff85fd0dcd311297c6c7f80ca
SSDEEP

3072:hArak7/olcUdP2QLiFLGFfP6FpWifj2EslWhX0L2EtzCy8em1EU23LWa3GpKq9qz:2BAHLmiNXirpXAH+H1+3LWzB9

Score

10^/10

formbook upah rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

upah

Decoy

ulwsh.com

sba80.com

mariodiasmusic.com

tedxuoftmississauga.com

fashionstylerpro.com

texasnavybrazoriacounty.com

pm917fip.biz

crmmigration.com

yupfn.info

thoughtfulmen.com

hdtongshijie.com

lpsmalabanan.com

hermes-gtd.com

thomasgharvey.com

reclamevis.com

realmomvlogs.com

frtbsq.men

klintagarden.com

greatvapeco.com

etnastrategies.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2604-10-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe

description	pid	process	target process
PID 2864 set thread context of 2604	2864	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe

pid process

2604 5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe

pid	process
2604	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe

description	pid	process	target process
PID 2864 wrote to memory of 2604	2864	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe
PID 2864 wrote to memory of 2604	2864	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe
PID 2864 wrote to memory of 2604	2864	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe
PID 2864 wrote to memory of 2604	2864	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe
PID 2864 wrote to memory of 2604	2864	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe
PID 2864 wrote to memory of 2604	2864	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe
PID 2864 wrote to memory of 2604	2864	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe	5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\5ac0c92372850980aa91d04754ece1f1_JaffaCakes118.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2604

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2604-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2604-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2604-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2604-12-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/2864-0-0x000000007482E000-0x000000007482F000-memory.dmp

Filesize
4KB

Download
memory/2864-1-0x00000000010F0000-0x0000000001130000-memory.dmp

Filesize
256KB

Download
memory/2864-2-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2864-3-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2864-4-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2864-5-0x0000000000FF0000-0x000000000102A000-memory.dmp

Filesize
232KB

Download
memory/2864-11-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads