formbook | 6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951

Analysis

max time kernel
75s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe
Size

336KB
MD5

7faec042ead4a8402e9097c35bc88a74
SHA1

6040d26db1804db01d3b2687f12ad21fd07068a1
SHA256

6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951
SHA512

da39bef06777e105edacb242f69dc2e8fb30097b32a436c1858dee34d9ba964c67f744d21eca1cc58297b88c61c6f5d6358bf68d0fa09d44784abb57c4958208
SSDEEP

6144:rGiPsaxUSMQAvIm9mebmLojolPgznVVYGWSarT8HzIn:waxW99DZo9gbArT8Hz4

Score

10^/10

formbook h2b0 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h2b0

Decoy

coastmortgageloans.com

sejt.xyz

krisandmeigeni.com

personalbias.com

cubana-pablo.com

nipahvax.com

cxyzjsrc.com

trttanks.com

yoko-by.com

sbyidn.net

metainstagram.faith

katsuyatoken.com

trustminingfx.trade

xsightvideos.online

localemergencies.com

2ab0.com

idahofloat.com

ourdogdream.com

thebestmediaguy.com

forthesaltysouls.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1224-9-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

pid	Process
2116	JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 1224	2116	JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1224	JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1224	2116	JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe	30
PID 2116 wrote to memory of 1224	2116	JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe	30
PID 2116 wrote to memory of 1224	2116	JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe	30
PID 2116 wrote to memory of 1224	2116	JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe	30
PID 2116 wrote to memory of 1224	2116	JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe	30
PID 2116 wrote to memory of 1224	2116	JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe	30
PID 2116 wrote to memory of 1224	2116	JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a02b032ec9f2ab8fd607270afb20b06143ad445d32fb2e3eb1ebf1fbccef951.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsj9686.tmp\cwhxmitph.dll

Filesize
178KB

MD5
e168e018ae7b50b12ccbf621f92a8d80

SHA1
f58c9aca0a2d1f9598fab015124ce3b7b90b973e

SHA256
b13b4eef285efc06e845504a1daec9949d4182c34a9a1737e65c87eba4b04a7a

SHA512
8e4e3b74f4ce9b2a4569d291c23763c3785f3582c199c3be75f462cc4cc01733b287161310733d5cf8c6301cfe25bbc28ebefacb4b944d6acb19fd2f04219111

Download Submit
memory/1224-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-7-0x000000007509A000-0x000000007509C000-memory.dmp

Filesize
8KB

Download