formbook | 2ae786f785ba80e7dff4543d1f0abe34a5ad5c44d8bd667bb59ca31d0a5803d9

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2024, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe
Size

408KB
MD5

e3ab4dc4cf854bb513854423de6d8db6
SHA1

903d735a2758c21383461fc53c206f24eeab231a
SHA256

2ae786f785ba80e7dff4543d1f0abe34a5ad5c44d8bd667bb59ca31d0a5803d9
SHA512

ab02902e59c6cd209bc65d5e9ee58c1ed1aed4af1dd66c16addc9650c973dbf1f8de716e17341810c1ef8f2c13905aff5111765024b1b02d19301d7deb19d26f
SSDEEP

6144:cJZj3XBjlkq27zgxRokJPukWORQjjadZt4RAfa/SqwqG:MzZo7cv74Sau/yaq

Score

10^/10

formbook gtb discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gtb

Decoy

kbsvipbags.com

grandma-salt.com

org-id100.info

marketobserverllc.com

robjmccarthy.com

orbitnest.com

7d5d.com

hotdealsallday.com

kaban-shitsuji.com

eivisionexport.com

luatfv.com

creationxbydom.com

realjuku.com

roast365.com

epis2020.com

schcman.com

xn--pimi-ooa.com

jobshustle.com

rightnewswire.com

seguonra.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3616-205-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3616-209-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
3616	ngentask.exe

Loads dropped DLL 1 IoCs

pid	Process
4856	e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4856 set thread context of 3616	4856	e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe	91
PID 3616 set thread context of 3412	3616	ngentask.exe	56
PID 4268 set thread context of 3412	4268	wlanext.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
4856	e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe
3616	ngentask.exe
3616	ngentask.exe
3616	ngentask.exe
3616	ngentask.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe
4268	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3616	ngentask.exe
3616	ngentask.exe
3616	ngentask.exe
4268	wlanext.exe
4268	wlanext.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe
Token: SeDebugPrivilege	3616	ngentask.exe
Token: SeDebugPrivilege	4268	wlanext.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 3616	4856	e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe	91
PID 4856 wrote to memory of 3616	4856	e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe	91
PID 4856 wrote to memory of 3616	4856	e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe	91
PID 4856 wrote to memory of 3616	4856	e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe	91
PID 4856 wrote to memory of 3616	4856	e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe	91
PID 4856 wrote to memory of 3616	4856	e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe	91
PID 3412 wrote to memory of 4268	3412	Explorer.EXE	92
PID 3412 wrote to memory of 4268	3412	Explorer.EXE	92
PID 3412 wrote to memory of 4268	3412	Explorer.EXE	92
PID 4268 wrote to memory of 1724	4268	wlanext.exe	93
PID 4268 wrote to memory of 1724	4268	wlanext.exe	93
PID 4268 wrote to memory of 1724	4268	wlanext.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e3ab4dc4cf854bb513854423de6d8db6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\ngentask.exe
    "C:\Users\Admin\AppData\Local\Temp\ngentask.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3616
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ngentask.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a6a0b8a6-4761-4357-9a31-0eca6ad70093\f.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngentask.exe

Filesize
85KB

MD5
c6ce045ca7809169a017f73d45c21462

SHA1
7d2504133d8235e91c2e98355c4f223cdf500d4d

SHA256
41019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6

SHA512
cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205

Download Submit
memory/3412-224-0x0000000003250000-0x0000000003313000-memory.dmp

Filesize
780KB

Download
memory/3412-221-0x0000000003250000-0x0000000003313000-memory.dmp

Filesize
780KB

Download
memory/3412-217-0x0000000008B30000-0x0000000008C91000-memory.dmp

Filesize
1.4MB

Download
memory/3412-211-0x0000000008B30000-0x0000000008C91000-memory.dmp

Filesize
1.4MB

Download
memory/3616-205-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3616-207-0x00000000019F0000-0x0000000001D3A000-memory.dmp

Filesize
3.3MB

Download
memory/3616-210-0x0000000001380000-0x0000000001394000-memory.dmp

Filesize
80KB

Download
memory/3616-209-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4268-215-0x0000000000200000-0x0000000000217000-memory.dmp

Filesize
92KB

Download
memory/4856-50-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-36-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-56-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-40-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-26-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-14-0x0000000073D50000-0x0000000073DD9000-memory.dmp

Filesize
548KB

Download
memory/4856-76-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-72-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-70-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-68-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-66-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-64-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-62-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-60-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-58-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-54-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-52-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-6-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/4856-48-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-46-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-44-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-42-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-38-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-74-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-34-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-32-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-30-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-28-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-24-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-22-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-20-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-18-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-16-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-15-0x0000000005400000-0x0000000005425000-memory.dmp

Filesize
148KB

Download
memory/4856-195-0x00000000752CE000-0x00000000752CF000-memory.dmp

Filesize
4KB

Download
memory/4856-196-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4856-197-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4856-199-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4856-5-0x0000000005510000-0x0000000005554000-memory.dmp

Filesize
272KB

Download
memory/4856-4-0x0000000005B80000-0x0000000006124000-memory.dmp

Filesize
5.6MB

Download
memory/4856-3-0x0000000005400000-0x000000000542C000-memory.dmp

Filesize
176KB

Download
memory/4856-2-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4856-1-0x0000000000AE0000-0x0000000000B4C000-memory.dmp

Filesize
432KB

Download
memory/4856-0-0x00000000752CE000-0x00000000752CF000-memory.dmp

Filesize
4KB

Download
memory/4856-200-0x00000000066D0000-0x00000000066DC000-memory.dmp

Filesize
48KB

Download
memory/4856-206-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download