formbook | 9fe305213e6584a14e5d687540d178a989acb5de8ea5815dab4c262a4f4955da

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
Size

255KB
MD5

ab494f466a82dd77680845c90d3d374d
SHA1

557fddb9db8aa0f6e72644d0e26e5886930e2310
SHA256

9fe305213e6584a14e5d687540d178a989acb5de8ea5815dab4c262a4f4955da
SHA512

9432d3ea685d2a822aac09a52f6898bb542a95736f296aed43e2a3c1ca074df1c11d08ad99a90698f4b19bc08f85764cc1e57187bcbe90ddcd02991fb59f7565
SSDEEP

6144:8fTuKv/3or5iS1CtvHUC6SQFUZGd3kP+ILbqx6:aTubtL14PrJQuwd3YRL2x6

Score

10^/10

formbook wo rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

studentepd.network

skinsensemoreqe.com

egrevore.com

2xa01v.info

detoxqueen.com

lumiity.com

urbanned.store

appleclinicaltrials.com

bledfetneknauer.win

tdhonlineadv.com

trendcosmo.com

eulermedia.net

bluewatersinvestments.com

hebibafang.com

sacrpc-cad.com

involo.agency

cultivatingajoyfulhome.com

zilkinvestments.com

3taoquan.com

ipmi.group

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 2 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/2888-21-0x0000000000B10000-0x0000000000B3A000-memory.dmp formbook
behavioral1/memory/2624-30-0x0000000000400000-0x000000000042A000-memory.dmp formbook
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

resource	yara_rule
behavioral1/memory/2888-21-0x0000000000B10000-0x0000000000B3A000-memory.dmp	formbook
behavioral1/memory/2624-30-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exevbc.exesystray.exe

description	pid	process	target process
PID 2888 set thread context of 2624	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 2624 set thread context of 1380	2624	vbc.exe	Explorer.EXE
PID 2628 set thread context of 1380	2628	systray.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exevbc.exesystray.exe

pid	process
2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
2624	vbc.exe
2624	vbc.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe
2628	systray.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exesystray.exe

pid process

2624 vbc.exe
2624 vbc.exe
2624 vbc.exe
2628 systray.exe
2628 systray.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exevbc.exesystray.exe

description pid process

Token: SeDebugPrivilege 2888 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
Token: SeDebugPrivilege 2624 vbc.exe
Token: SeDebugPrivilege 2628 systray.exe

pid	process
2624	vbc.exe
2624	vbc.exe
2624	vbc.exe
2628	systray.exe
2628	systray.exe

description	pid	process
Token: SeDebugPrivilege	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
Token: SeDebugPrivilege	2624	vbc.exe
Token: SeDebugPrivilege	2628	systray.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

ab494f466a82dd77680845c90d3d374d_JaffaCakes118.execsc.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 2888 wrote to memory of 2768	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	csc.exe
PID 2888 wrote to memory of 2768	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	csc.exe
PID 2888 wrote to memory of 2768	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	csc.exe
PID 2888 wrote to memory of 2768	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	csc.exe
PID 2768 wrote to memory of 1720	2768	csc.exe	cvtres.exe
PID 2768 wrote to memory of 1720	2768	csc.exe	cvtres.exe
PID 2768 wrote to memory of 1720	2768	csc.exe	cvtres.exe
PID 2768 wrote to memory of 1720	2768	csc.exe	cvtres.exe
PID 2888 wrote to memory of 2624	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 2888 wrote to memory of 2624	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 2888 wrote to memory of 2624	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 2888 wrote to memory of 2624	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 2888 wrote to memory of 2624	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 2888 wrote to memory of 2624	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 2888 wrote to memory of 2624	2888	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 1380 wrote to memory of 2628	1380	Explorer.EXE	systray.exe
PID 1380 wrote to memory of 2628	1380	Explorer.EXE	systray.exe
PID 1380 wrote to memory of 2628	1380	Explorer.EXE	systray.exe
PID 1380 wrote to memory of 2628	1380	Explorer.EXE	systray.exe
PID 2628 wrote to memory of 2508	2628	systray.exe	cmd.exe
PID 2628 wrote to memory of 2508	2628	systray.exe	cmd.exe
PID 2628 wrote to memory of 2508	2628	systray.exe	cmd.exe
PID 2628 wrote to memory of 2508	2628	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l5qj21sq\l5qj21sq.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAE.tmp" "c:\Users\Admin\AppData\Local\Temp\l5qj21sq\CSC8697E69AA1B34A74AF23FAA9DA3326.TMP"
4⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:2508

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCAE.tmp
Filesize
1KB

MD5
c1efdaa3a3971b8811e42f2b913dc80b

SHA1
dd94e81cfeac10a7e708f6fdda9335387af52423

SHA256
91ebee2a781d7e7352181a4152cb5225f59b9c6f3ea3e5078c1d7048bad7ace0

SHA512
ed868053037481c799502e0de64d2bd3c83c1adf818c8e8fa1fd3d832ed79d0e8eaba06b968f7d529ce9e4f40686d8e57b235d181e07bab559d05f7a6218e3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\l5qj21sq\l5qj21sq.dll
Filesize
11KB

MD5
2e672c7166ac167bd72a2cd332a8dfc8

SHA1
e99933f96c4dcf7d7349e62d3d8069ee574ae7c1

SHA256
a5d1cd13e8006855d8ae5147b0b43f9d8cad096e7e896cd0dc8ba15dfcaeede6

SHA512
a533e42c2db6332e55a4d784e8b9c2b09a47fa45b72b2dc99177452973b80e8a0252b40ca419303211e8ccb419375c10e8b26905e9139456a5448e54c7747fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\l5qj21sq\l5qj21sq.pdb
Filesize
37KB

MD5
d5c15ca42501e5800e67ec51e85d597a

SHA1
4c0bea34922abc11ba6f699c061e3a06a0b8332d

SHA256
88fb1366a2f5a9ac107a7d1bf129fd0b31e76485585b0a09144210a2abfe2de0

SHA512
6bb25f57534b337c0c41f1115b8cf1c1066ebb0da7559744f78bc771c25b1a2f44dc46f060df4ff1669bb690f1419b27abf50ae4aba624aab1936b744738045c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5qj21sq\CSC8697E69AA1B34A74AF23FAA9DA3326.TMP
Filesize
1KB

MD5
99af67048cbf70b3dc706a2bd5ebe3a6

SHA1
122802fbba6f9b763fa5a4307d01586bee06e507

SHA256
96bab46e7571f949e90832587ea4e5dcbdc703038482b35d24ac06ebe390c133

SHA512
9686c854bf03e2ea81c7e1768e775344173dac27f90c391fd81919ee156f8eb4a349194310be598b0fa2c52f560887a35163f9ab292ee314e9c2673813bb2478

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5qj21sq\l5qj21sq.0.cs
Filesize
17KB

MD5
b7252c18bbd3a3e6d46029d8382ab393

SHA1
501c7f88aec9f9f4538fa93bb54eae348480799a

SHA256
4694c04c73c327d616a7f9c525eafebb3a067bcde43a3d9bc37dfda77d185d0d

SHA512
3ae60e94fc7bd96e842f6926c7e6adeccde08b959b43bc8ae7163ec8ba7d83203e1a8269d4ea4f339040d6a65a08b3e2dbc1dcc854b9e6912e426897436dc071

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5qj21sq\l5qj21sq.cmdline
Filesize
312B

MD5
a87e656a57ca96f58f5bab4b9e688548

SHA1
e63b6815cc169d1e46279d496dab14fe3f0c91d5

SHA256
0eb8b860eece51fe579946dde4bd85cb7cf8c90e77c87765f4efbb9533ee2a99

SHA512
2faff5087671016cecfc6dcd6957d3e16cba5407ae9b8a58b8bb51f8edfb63b908aac1af8324ba990a46306a7648127afa9a56306159325009b1720a64d1e6c0

Download Submit
memory/1380-29-0x0000000002F60000-0x0000000003060000-memory.dmp

Filesize
1024KB

Download
memory/1380-38-0x0000000005270000-0x0000000005385000-memory.dmp

Filesize
1.1MB

Download
memory/1380-31-0x0000000005270000-0x0000000005385000-memory.dmp

Filesize
1.1MB

Download
memory/2624-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2624-30-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2624-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2628-33-0x00000000002A0000-0x00000000002A5000-memory.dmp

Filesize
20KB

Download
memory/2628-34-0x00000000002A0000-0x00000000002A5000-memory.dmp

Filesize
20KB

Download
memory/2888-27-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-19-0x0000000000CF0000-0x0000000000D2A000-memory.dmp

Filesize
232KB

Download
memory/2888-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/2888-17-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2888-6-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-21-0x0000000000B10000-0x0000000000B3A000-memory.dmp

Filesize
168KB

Download
memory/2888-20-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2888-1-0x0000000000F60000-0x0000000000FA4000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads