formbook | dd97d41dbcea146c66d6a62f152d2b86bd60122b920d17eb11c8d639d338c779

Analysis

max time kernel
133s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe
Size

733KB
MD5

735e84ac1205e9dd7816c85f7706afb4
SHA1

2894b5d49235df4845f15477d835c9b78ec08e72
SHA256

dd97d41dbcea146c66d6a62f152d2b86bd60122b920d17eb11c8d639d338c779
SHA512

f3b14d69d62ca59693f72369126c5419188a5f7f33f4d188f439021aff5b8f095593d9ab8a8867b17dfda0ef7eac80287451fee33882ffd460535642fdc46d99
SSDEEP

12288:lF8UUt63DaFFRTImFKqQg7O1W/5N6NspDeaYUEuE5:lTUt63DaFFYqOMRN6IDf7e

Score

10^/10

formbook ma rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.0

Campaign

Decoy

painmedos.com

sp5ce.com

woldtv.com

zpc.ink

makrobet829.com

ar868.com

hakuneko.com

8-lab.info

test-gopalsep14.store

latiendaimportados.com

bakerysweetcheeks.com

nwklb9ze2p0.biz

startosizmir.com

sterilizedknqwp.download

rriivernyile.com

managementcover.site

beach.expert

huamzw.com

emojis3d.com

pissonagrave.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2140-3-0x0000000000400000-0x0000000000428000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe

description	pid	process	target process
PID 4652 set thread context of 2140	4652	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe

pid	process
4652	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe
4652	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe
2140	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe
2140	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 4652 735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4652	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe

description	pid	process	target process
PID 4652 wrote to memory of 2140	4652	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe
PID 4652 wrote to memory of 2140	4652	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe
PID 4652 wrote to memory of 2140	4652	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe
PID 4652 wrote to memory of 2140	4652	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe
PID 4652 wrote to memory of 2140	4652	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe
PID 4652 wrote to memory of 2140	4652	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe	735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Users\Admin\AppData\Local\Temp\735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\735e84ac1205e9dd7816c85f7706afb4_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2140-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2140-6-0x0000000001080000-0x00000000013CA000-memory.dmp

Filesize
3.3MB

Download
memory/2140-7-0x0000000001080000-0x00000000013CA000-memory.dmp

Filesize
3.3MB

Download
memory/4652-0-0x0000000074D72000-0x0000000074D73000-memory.dmp

Filesize
4KB

Download
memory/4652-1-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/4652-2-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/4652-5-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download