formbook | e797f39f4c6816a5fb7261a80ec56f3aa6f80ab8c2a29e75b024b555552b373c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72a08d74790b5cc675899057127071cb_JaffaCakes118.exe
Size

246KB
MD5

72a08d74790b5cc675899057127071cb
SHA1

64b3087bc076a7e1d07ede624ec16767dfb95fb2
SHA256

e797f39f4c6816a5fb7261a80ec56f3aa6f80ab8c2a29e75b024b555552b373c
SHA512

db77172b220f22f060efcb9e1d7d96b5ab55125344ec608da1508f9bdc33eb83ae10651e4ab841ca57ea252adc358bed2fe6c56b793cd648048a4563bf2d7660
SSDEEP

6144:WGMbSvcEJptXbT8t6FzVTfR9SbfoabduXRia+g35d8g/G:ibUtpte6HTJMr5uUsd

Score

10^/10

formbook aofk rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

aofk

Decoy

theplanetviral.com

51gayporn.com

mesathean.com

vaguidelines-updated.com

newuniverse.net

daveslehighvalleyvac.com

balikesirmasajsalonuu.com

chepinclub.com

shkafko.com

xn--eh3b11fp3f4me.com

qgochyljokbjjx.com

ashleetaylor.net

neckbeardnation.com

jordanthedev.com

pnwminiacs.com

tastyafrecipes.com

postmortemrecycled.com

bodypiercingblog.com

northwestclassicfirearms.com

manilagogo.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1156-10-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

72a08d74790b5cc675899057127071cb_JaffaCakes118.exe

description	pid	process	target process
PID 3812 set thread context of 1156	3812	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

72a08d74790b5cc675899057127071cb_JaffaCakes118.exe

pid process

1156 72a08d74790b5cc675899057127071cb_JaffaCakes118.exe
1156 72a08d74790b5cc675899057127071cb_JaffaCakes118.exe

pid	process
1156	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe
1156	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

72a08d74790b5cc675899057127071cb_JaffaCakes118.exe

description	pid	process	target process
PID 3812 wrote to memory of 1156	3812	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe
PID 3812 wrote to memory of 1156	3812	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe
PID 3812 wrote to memory of 1156	3812	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe
PID 3812 wrote to memory of 1156	3812	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe
PID 3812 wrote to memory of 1156	3812	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe
PID 3812 wrote to memory of 1156	3812	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe	72a08d74790b5cc675899057127071cb_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\72a08d74790b5cc675899057127071cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72a08d74790b5cc675899057127071cb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\72a08d74790b5cc675899057127071cb_JaffaCakes118.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1156-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1156-14-0x00000000011C0000-0x000000000150A000-memory.dmp

Filesize
3.3MB

Download
memory/1156-13-0x00000000011C0000-0x000000000150A000-memory.dmp

Filesize
3.3MB

Download
memory/3812-6-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3812-4-0x0000000004CA0000-0x0000000004D32000-memory.dmp

Filesize
584KB

Download
memory/3812-5-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/3812-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/3812-7-0x0000000005320000-0x000000000535A000-memory.dmp

Filesize
232KB

Download
memory/3812-8-0x0000000005400000-0x000000000549C000-memory.dmp

Filesize
624KB

Download
memory/3812-9-0x0000000005B50000-0x00000000060F4000-memory.dmp

Filesize
5.6MB

Download
memory/3812-3-0x0000000004AB0000-0x0000000004AB8000-memory.dmp

Filesize
32KB

Download
memory/3812-12-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3812-2-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3812-1-0x0000000000100000-0x0000000000144000-memory.dmp

Filesize
272KB

Download