formbook | 6fd8fde47bfdecf4c5fa63b708ef5f28ba0b9417eab79ac395cd6bf068eedcc7

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe
Size

837KB
MD5

772818fce7b10874f4966be5a8cd7c27
SHA1

a60926d4ee84fe6da426a6165ca6f02ef6e1fbbf
SHA256

6fd8fde47bfdecf4c5fa63b708ef5f28ba0b9417eab79ac395cd6bf068eedcc7
SHA512

bf76e0c30b5ab8e77c281482cf78724174057370bc05911f6f574c62b8d3904be4822a9e54287eda813a84a0038dbb038f356ea9696dd931b260b1937509bd06
SSDEEP

24576:81KWCAI+LdOTOi8r+/ZS5TPhPJfQV9wMok:kbIsOTOiBZSpPhG9wMT

Score

10^/10

formbook dg1 agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

dg1

Decoy

pilatesmania.life

5bcoin.com

ammowillcall.com

quickwinz.market

terigele.com

sohotoken.com

tielingwww.site

lz2b3.info

norisc.com

digitalkonsultan.com

925manbetx.com

laricipark.com

quantum7nutrition.com

xceedcg.com

hanagel.com

cane91.download

iotadocker.com

brackenupholstery.com

erfolg-sichern.online

bihuorg.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2872-12-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2040-2-0x0000000000600000-0x0000000000630000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe

description	pid	process	target process
PID 2040 set thread context of 2872	2040	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe

pid process

2872 772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2040 772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe

pid	process
2872	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2040	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe

description	pid	process	target process
PID 2040 wrote to memory of 2872	2040	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe
PID 2040 wrote to memory of 2872	2040	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe
PID 2040 wrote to memory of 2872	2040	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe
PID 2040 wrote to memory of 2872	2040	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe
PID 2040 wrote to memory of 2872	2040	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe
PID 2040 wrote to memory of 2872	2040	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe
PID 2040 wrote to memory of 2872	2040	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe	772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\772818fce7b10874f4966be5a8cd7c27_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

Filesize
4KB

Download
memory/2040-1-0x0000000000E10000-0x0000000000EE8000-memory.dmp

Filesize
864KB

Download
memory/2040-2-0x0000000000600000-0x0000000000630000-memory.dmp

Filesize
192KB

Download
memory/2040-3-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/2040-4-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-5-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-13-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2872-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2872-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2872-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2872-14-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download