Overview

overview

10

Static

static

3

6d2331c2b2...18.exe

windows7-x64

10

6d2331c2b2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 03:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe

  • Size

    472KB

  • MD5

    6d2331c2b272fbe95d77250c47b37e71

  • SHA1

    e70258580bda815758bef6386b0d64bfbde24ff6

  • SHA256

    58be60f2549f4c7093fcb9fdc050154389d02b4ad7b60439122de5bf02865074

  • SHA512

    150d69d9815c8e3b9a8331cfd7eb46aedc21b6f4c8c2ff45f717bba143bd6d90d02e342d20dc78c1e78e431f7a69ee03c60da564d5ea826a9358f40921e49961

  • SSDEEP

    6144:cmrL7bOr2xYboL9br/U+e/HQL3dZ655y8Yvl/oHzUmaIv7:cm7GEYmnU+aHQTm5gdvl4Q1y

Score
10/10
formbooktgratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

tg

Decoy

xn--wmq267cvp4asgh.com

herunyunshang.com

fulhdmovie.cymru

runforabetterlifecoaching.com

www58978www.com

gachtiendat.com

turkico.com

jetlinefountain.com

mybabycool.com

housebuyinginlosangeles.info

tatreggyprismnimbles.win

moa397.com

thestrangerthings.com

kreditpintar.com

luggagelockercompany.com

xczcefmdsz.info

51linhu.com

zoodmal.com

bizrver.com

bostonrefinanceglobal.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Users\Admin\AppData\Local\Temp\6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3396
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2232

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3396-5-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/4296-3-0x0000000077271000-0x0000000077391000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/4296-7-0x0000000077271000-0x0000000077391000-memory.dmp
      Filesize

      1.1MB

      Download