formbook | f78e509ec3ba4a6a2391ef33aa6d6bd82071bf4993f9527ad0b3c599bed5ea7f

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

640697fb17bca815e114b38b305124aa_JaffaCakes118.exe
Size

400KB
MD5

640697fb17bca815e114b38b305124aa
SHA1

69fecc45676a3913b2a58b7017bfb6a284bfe3a0
SHA256

f78e509ec3ba4a6a2391ef33aa6d6bd82071bf4993f9527ad0b3c599bed5ea7f
SHA512

a97b5fb1b8d7508033caf94c09adf7f06a12a6e127f9737cb6f819c6b32fbf590d091bca035ee3d3a0e452bffe447c50038876e66f86dc34739f39414b71d21f
SSDEEP

12288:r3OdHilEQrfuPbhv/MNLwl+8L41u1EEDv:rgClEufi8NLwl+8k

Score

10^/10

formbook ko rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

html5zone.com

kennet.cloud

yakaoren.com

bestgirlswonderfulvideo.site

ramurho.com

jinkugw.com

dehraduncoachingacademy.com

lfheater.com

ungzwt.men

aliqiutian.com

lansvallarta.com

morrisimage.win

doppledecker.com

serpaca.com

inversebuy.com

businesalue.com

lotustvhouston.net

dipa.ltd

adscreate.business

xn--3ds50hcyhf6z.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2888-3-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

640697fb17bca815e114b38b305124aa_JaffaCakes118.exe

pid process

2888 640697fb17bca815e114b38b305124aa_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

640697fb17bca815e114b38b305124aa_JaffaCakes118.exe

pid process

2888 640697fb17bca815e114b38b305124aa_JaffaCakes118.exe
2888 640697fb17bca815e114b38b305124aa_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

640697fb17bca815e114b38b305124aa_JaffaCakes118.exe

pid process

2888 640697fb17bca815e114b38b305124aa_JaffaCakes118.exe
2888 640697fb17bca815e114b38b305124aa_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

640697fb17bca815e114b38b305124aa_JaffaCakes118.exe

pid process

2888 640697fb17bca815e114b38b305124aa_JaffaCakes118.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

640697fb17bca815e114b38b305124aa_JaffaCakes118.exe

pid process

2888 640697fb17bca815e114b38b305124aa_JaffaCakes118.exe

pid	process
2888	640697fb17bca815e114b38b305124aa_JaffaCakes118.exe

pid	process
2888	640697fb17bca815e114b38b305124aa_JaffaCakes118.exe
2888	640697fb17bca815e114b38b305124aa_JaffaCakes118.exe

pid	process
2888	640697fb17bca815e114b38b305124aa_JaffaCakes118.exe
2888	640697fb17bca815e114b38b305124aa_JaffaCakes118.exe

pid	process
2888	640697fb17bca815e114b38b305124aa_JaffaCakes118.exe

pid	process
2888	640697fb17bca815e114b38b305124aa_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\640697fb17bca815e114b38b305124aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\640697fb17bca815e114b38b305124aa_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:2888

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2888-2-0x0000000077330000-0x0000000077406000-memory.dmp

Filesize
856KB

Download
memory/2888-3-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2888-5-0x000000000B3A0000-0x000000000B6A3000-memory.dmp

Filesize
3.0MB

Download
memory/2888-7-0x0000000072940000-0x0000000072A60000-memory.dmp

Filesize
1.1MB

Download