formbook | 4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7

Analysis

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/09/2024, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7cc07a1704145c6843330345fd1ce0b_JaffaCakes118.exe
Size

472KB
MD5

e7cc07a1704145c6843330345fd1ce0b
SHA1

6da282da7b2151eeb7da06b0ce8e1beb64e585a1
SHA256

4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7
SHA512

45ed8bf0670a38dc090f766120e1e1612826a24434c39b6afacb04ed023fafd2561a53e2680917cb5fdcea8919bcc5c20af0e53eebaa181d186dc6b4eba01b6e
SSDEEP

12288:Yz2RENHa7bDjN3MyC2AzkfCpzGmZSgW+b3:Yzuw2N2pzGmq+b

Score

10^/10

formbook by discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.0

Campaign

Decoy

mozkuia.com

oyxezj.men

valuecodeconsultants.com

ivyleaguetraining.com

darqvam.run

izmirkadinsagligi.com

cvn8866.com

yourbigandgood4updates.review

cajienvios.com

promypages.info

trendsreverso.com

veganspoonfuls.info

p2ptexting.com

hdwmy.com

wmrobots.net

danstamos.com

rewardcarousel.com

esports-mindset.com

kccustodylawyer.com

longdingsz.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3444-1-0x0000000010000000-0x000000001007A000-memory.dmp	formbook
behavioral2/memory/3444-2-0x0000000010005000-0x0000000010032000-memory.dmp	formbook

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4272	3444	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7cc07a1704145c6843330345fd1ce0b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3444	e7cc07a1704145c6843330345fd1ce0b_JaffaCakes118.exe
3444	e7cc07a1704145c6843330345fd1ce0b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e7cc07a1704145c6843330345fd1ce0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7cc07a1704145c6843330345fd1ce0b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 420
  2⤵
  - Program crash
  PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3444 -ip 3444
1⤵
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3444-0-0x0000000010005000-0x0000000010032000-memory.dmp

Filesize
180KB

Download
memory/3444-1-0x0000000010000000-0x000000001007A000-memory.dmp

Filesize
488KB

Download
memory/3444-2-0x0000000010005000-0x0000000010032000-memory.dmp

Filesize
180KB

Download