formbook | 75126a9e47774b66c23d7bee87c4b1fdb2be6abc37b28d65eb842324956cd8f5

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

608b3c7d4092ba03e8393c5b6102cc34_JaffaCakes118.exe
Size

688KB
MD5

608b3c7d4092ba03e8393c5b6102cc34
SHA1

5f81869f67b5376317e496447431cc0e1924f2f9
SHA256

75126a9e47774b66c23d7bee87c4b1fdb2be6abc37b28d65eb842324956cd8f5
SHA512

ebc34a35436ca07ac3687d1841946a7ffc4e3556cfe498f5d9ef6ac410cfab82e49c77ba94d03f364934f136660b6db0a5788563da8c0ebf1170c853800f3725
SSDEEP

12288:SIfeAaArx2xis71SNHHF9VDc7/PXJ93zsWmNSZk:H93Gi1FjsXJ934dNSZ

Score

10^/10

formbook l5 rat spyware stealer trojan upx

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

riverchaseapts.net

0430pe.com

nbgift.net

ehkhwn.win

immatthall.com

fkslc.info

breakthroughmediadon.com

eatorganic.life

okcitytowing.com

egaodomain.com

krenbc.com

lavi.ltd

sport-score.com

romskicentar.com

junkyard.design

xn--55q83b758aihq.com

phonerepairlocal.com

5656868.com

1s7onework.men

elizabethreidinteriordesign.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2384-3-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2384-0-0x0000000000400000-0x0000000000659000-memory.dmp	upx
behavioral1/memory/2384-1-0x0000000000400000-0x0000000000659000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

608b3c7d4092ba03e8393c5b6102cc34_JaffaCakes118.exe

pid process

2384 608b3c7d4092ba03e8393c5b6102cc34_JaffaCakes118.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

608b3c7d4092ba03e8393c5b6102cc34_JaffaCakes118.exe

pid process

2384 608b3c7d4092ba03e8393c5b6102cc34_JaffaCakes118.exe

pid	process
2384	608b3c7d4092ba03e8393c5b6102cc34_JaffaCakes118.exe

pid	process
2384	608b3c7d4092ba03e8393c5b6102cc34_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\608b3c7d4092ba03e8393c5b6102cc34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\608b3c7d4092ba03e8393c5b6102cc34_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2384

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2384-0-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2384-1-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2384-2-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/2384-3-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2384-5-0x0000000003910000-0x0000000003C13000-memory.dmp

Filesize
3.0MB

Download
memory/2384-6-0x0000000003910000-0x0000000003C13000-memory.dmp

Filesize
3.0MB

Download