formbook | aeb152965dfacf939b0329628a69d1c5297bbae7090ee6aa40458aecc49613cc

General

Target

67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe
Size

529KB
MD5

67d6cc23b3d706b688e2fc2bf86adeb2
SHA1

129ca4404eeb7064d6c8f0ac6902004c103b1955
SHA256

aeb152965dfacf939b0329628a69d1c5297bbae7090ee6aa40458aecc49613cc
SHA512

0268bed3248babf5202f42f84e9403cc5b53db0857ee2a9f1e31f82c8c982c250d5a5f5fb14e622a30e04c6cf5de462b388a8ada64dd4bfb040b936d3ae7c47e
SSDEEP

12288:17Q8838bm5PmPZvTH8T9xRAw7WXymM4aCRj1:omPZAT9Dp7WCmM4r

Score

10^/10

formbook di rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

di

Decoy

countdown-mirage.com

fusion11tyler.com

xn--ccklb4p0b9c2f.site

tasucusahilemlak.com

edubcbe.com

phunulamdep.today

hsbei.com

molly20.com

creditcardtalks.com

simonadecors.com

sefakarabacak.com

plusong.com

mrcoursereview.com

dolphinaping.site

dgytwh.com

lestoilesart.com

dadshow.net

shinhanconvention.com

check-that-notice-works.com

fingerlakesprowashing.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1972-19-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe

description	pid	process	target process
PID 2988 set thread context of 1972	2988	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe

pid	process
2988	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe
2988	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe
2988	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe
2988	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe
1972	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe

pid process

2988 67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe

description	pid	process	target process
PID 2988 wrote to memory of 1972	2988	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe
PID 2988 wrote to memory of 1972	2988	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe
PID 2988 wrote to memory of 1972	2988	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe
PID 2988 wrote to memory of 1972	2988	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe
PID 2988 wrote to memory of 1972	2988	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe	67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67d6cc23b3d706b688e2fc2bf86adeb2_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2988-8-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-1-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-7-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-14-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-15-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-4-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-5-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-6-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-3-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-2-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-10-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-9-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-11-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-12-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-13-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-16-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-17-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-18-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2988-0-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads