formbook | 0f1d8850800e71e21ea5b4cf6368ff5aafd1bd9cd0b5280388767a27e04b3d80

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe
Size

536KB
MD5

6400dce0bcaa984502231c1a8ca4bcdd
SHA1

c9961928d0c2cec15cc762e0e384c8d22889cc9f
SHA256

0f1d8850800e71e21ea5b4cf6368ff5aafd1bd9cd0b5280388767a27e04b3d80
SHA512

c1dcf5124286b2e12e9be5b538c02ada49e3a4dda434c082fb503b618d1c9dac401f7cc24df2b72c6847a4dd791193c39b48c88a2f7123317c84387d11ab2394
SSDEEP

6144:zk0N1y0dq91FBQSeEke3SIs7pZpXEuV/bF7aS7/WTrYBRk:zk0Nk91rrh8ZpXr9B7P700BRk

Score

10^/10

formbook js rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

invisibleladder.com

kidswaronwaste.com

simonmillers.com

samincraft.com

cranesworld.com

nvagencia.com

descargapp.info

paidconsumersurveys.net

carnivalofsong.com

htours.net

odytjm.tech

nationalimmobilier.com

fbbhrk.info

aaabbb.xyz

jbnkgame2.info

dma777.com

shpzjr.com

dakarrepuestos.com

kaibo.info

theopulentco.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/212-6-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe

pid process

212 6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe
212 6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe

pid process

212 6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe
212 6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe

pid process

212 6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe
212 6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe

pid process

212 6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe

pid	process
212	6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe
212	6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe

pid	process
212	6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe
212	6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe

pid	process
212	6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe
212	6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe

pid	process
212	6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6400dce0bcaa984502231c1a8ca4bcdd_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-3-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/212-4-0x0000000002260000-0x0000000002265000-memory.dmp

Filesize
20KB

Download
memory/212-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/212-9-0x0000000077BE1000-0x0000000077D01000-memory.dmp

Filesize
1.1MB

Download
memory/212-11-0x000000000D2A0000-0x000000000D5EA000-memory.dmp

Filesize
3.3MB

Download
memory/212-14-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download