Overview

overview

10

Static

static

3

9848ed6b33...18.exe

windows7-x64

10

9848ed6b33...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9848ed6b330af66b3d4cc6178aed0886_JaffaCakes118.exe

  • Size

    801KB

  • MD5

    9848ed6b330af66b3d4cc6178aed0886

  • SHA1

    23a9b11a4c4fd868ef61e4243f684bc6ed99f799

  • SHA256

    7d32a825867aa32e3b0bd84bbc59c7e9c6bd2aff57c0f233918f810cf8e0d7a7

  • SHA512

    bfc90cc7f27b8949ee0341036cf853cb60331426eaa560da8504ffa97e0477c07a7ca5f459ca3994087fc2585a67ac93a93a3ccfeb4ece9e1cc5ad31bd08f969

  • SSDEEP

    6144:Am3hioQ4wrKNdniADS4qiawVSxypCOv8XmTjkLm8nfsxF7wjimxWhcJvJwbZz:5RiOwrGdLzqqVS282vkLnfOOimc1bZ

Score
10/10
formbookdg1agilenetratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

dg1

Decoy

pilatesmania.life

5bcoin.com

ammowillcall.com

quickwinz.market

terigele.com

sohotoken.com

tielingwww.site

lz2b3.info

norisc.com

digitalkonsultan.com

925manbetx.com

laricipark.com

quantum7nutrition.com

xceedcg.com

hanagel.com

cane91.download

iotadocker.com

brackenupholstery.com

erfolg-sichern.online

bihuorg.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9848ed6b330af66b3d4cc6178aed0886_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9848ed6b330af66b3d4cc6178aed0886_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Users\Admin\AppData\Local\Temp\9848ed6b330af66b3d4cc6178aed0886_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\9848ed6b330af66b3d4cc6178aed0886_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1524-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1524-1-0x0000000001340000-0x000000000140E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/1524-2-0x00000000003B0000-0x00000000003D8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1524-3-0x0000000074C00000-0x00000000752EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1524-4-0x0000000074C00000-0x00000000752EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1524-12-0x0000000074C00000-0x00000000752EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2144-5-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2144-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2144-7-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2144-11-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2144-13-0x0000000000A20000-0x0000000000D23000-memory.dmp

    Filesize

    3.0MB

    Download