formbook | 67f8ad3999ae43679f67d54be1fd73f0a009b0509f7284ad0ad726615e83e139

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
Size

428KB
MD5

640a5a69bb8bad401d53decd4cc8ca20
SHA1

01fa7024fd76ca92eccc565e2c393048b3f11c51
SHA256

67f8ad3999ae43679f67d54be1fd73f0a009b0509f7284ad0ad726615e83e139
SHA512

32b59acacd1ada2c488a91130e28196556687e4b5fb41b46b959ff25ef7cb2ad6e2f77d37a53eadb0b9823bb084547bff841e3d4e47b56491e5fd26ac2cc66f3
SSDEEP

6144:EwuOFkQsk7HjHaPnjsxnxoZunk+dbRyPEIBSSh4a5yZQlgy85iA2p07ybCx7XtnC:MQsk7+LI5RCzjTSybyXZ

Score

10^/10

formbook h313 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

h313

Decoy

kudaspb.info

riven.market

strictlyafricanjapan.win

moresisebank.com

lugg14141.com

musictravelbar.com

snip-store.net

mnum2.com

inevitably.ltd

topskin-care.live

chinasmokingglass.com

milkmuuske.com

gadology.com

lntoken.com

wxtusugangguan.com

freetraffic2upgradeall.review

myhumblenode.com

otodo.site

ryden-mckenna-ltd.com

diminishedunison.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5052-3-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

description	pid	process	target process
PID 3940 set thread context of 5052	3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

pid process

5052 640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
5052 640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

pid process

3940 640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
3940 640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

pid process

3940 640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
3940 640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

pid process

3940 640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

pid	process
5052	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
5052	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

pid	process
3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

pid	process
3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

pid	process
3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

description	pid	process	target process
PID 3940 wrote to memory of 5052	3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
PID 3940 wrote to memory of 5052	3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
PID 3940 wrote to memory of 5052	3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
PID 3940 wrote to memory of 5052	3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
PID 3940 wrote to memory of 5052	3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
PID 3940 wrote to memory of 5052	3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
PID 3940 wrote to memory of 5052	3940	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe	640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\640a5a69bb8bad401d53decd4cc8ca20_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3940-2-0x0000000077331000-0x0000000077451000-memory.dmp

Filesize
1.1MB

Download
memory/5052-3-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download