formbook | b8b35cd14e486e7f34351b1fa3e53c874ea1e26627c3455facbb5880f4220caf

Analysis

max time kernel
140s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de754955d421231e309d008e47283c32_JaffaCakes118.exe
Size

713KB
MD5

de754955d421231e309d008e47283c32
SHA1

2ffbcf2bd51a738af0b3a370284b6bf45adfc578
SHA256

b8b35cd14e486e7f34351b1fa3e53c874ea1e26627c3455facbb5880f4220caf
SHA512

e2ad25895b3c80a6c46f4d2de3bc2e2f7b513c9f50c80498505ca11dc1a2cf70e7e6c2dce31c49d70b58823183f2c03be0d895cbc77f2c017e2ae4cbd74cb4d2
SSDEEP

12288:Gi6x47zujH3OB2FmkHTLl7fsnfDKMx4+IKIjwq:v6Czw/zNknfDtxWjX

Score

10^/10

formbook mr9 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

mr9

Decoy

nyasaman.com

brightandcreative.com

decoficinas.com

xzgjjb.com

yhecon.com

parkerkj.com

chpbsr.com

amthanhoto.com

cincilifecoach.com

plexusdentalstudio.com

jennerinvestment.com

rihmj.info

andresdesigner.com

bradandmaryannwhittaker.com

usefulprogrammer.com

voidindarkness.com

onlinespielenundgewinnen.net

hepbee.net

eliterobe.com

sxwwjd.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3104-2-0x0000000000400000-0x00000000004B9000-memory.dmp	formbook

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de754955d421231e309d008e47283c32_JaffaCakes118.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\PowerCfg	de754955d421231e309d008e47283c32_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3104	de754955d421231e309d008e47283c32_JaffaCakes118.exe
3104	de754955d421231e309d008e47283c32_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3104	de754955d421231e309d008e47283c32_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3104	de754955d421231e309d008e47283c32_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\de754955d421231e309d008e47283c32_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de754955d421231e309d008e47283c32_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3104-0-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3104-1-0x0000000002460000-0x0000000002492000-memory.dmp

Filesize
200KB

Download
memory/3104-2-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3104-3-0x0000000003180000-0x00000000034CA000-memory.dmp

Filesize
3.3MB

Download
memory/3104-4-0x0000000002460000-0x0000000002492000-memory.dmp

Filesize
200KB

Download