formbook | 9fe305213e6584a14e5d687540d178a989acb5de8ea5815dab4c262a4f4955da

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
Size

255KB
MD5

ab494f466a82dd77680845c90d3d374d
SHA1

557fddb9db8aa0f6e72644d0e26e5886930e2310
SHA256

9fe305213e6584a14e5d687540d178a989acb5de8ea5815dab4c262a4f4955da
SHA512

9432d3ea685d2a822aac09a52f6898bb542a95736f296aed43e2a3c1ca074df1c11d08ad99a90698f4b19bc08f85764cc1e57187bcbe90ddcd02991fb59f7565
SSDEEP

6144:8fTuKv/3or5iS1CtvHUC6SQFUZGd3kP+ILbqx6:aTubtL14PrJQuwd3YRL2x6

Score

10^/10

formbook wo rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

studentepd.network

skinsensemoreqe.com

egrevore.com

2xa01v.info

detoxqueen.com

lumiity.com

urbanned.store

appleclinicaltrials.com

bledfetneknauer.win

tdhonlineadv.com

trendcosmo.com

eulermedia.net

bluewatersinvestments.com

hebibafang.com

sacrpc-cad.com

involo.agency

cultivatingajoyfulhome.com

zilkinvestments.com

3taoquan.com

ipmi.group

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4188-22-0x0000000005CB0000-0x0000000005CDA000-memory.dmp	formbook
behavioral2/memory/1016-27-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/1016-30-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 4 IoCs

Processes:

ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exevbc.exemstsc.exe

description	pid	process	target process
PID 4188 set thread context of 1016	4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 1016 set thread context of 3460	1016	vbc.exe	Explorer.EXE
PID 1016 set thread context of 3460	1016	vbc.exe	Explorer.EXE
PID 2784 set thread context of 3460	2784	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exevbc.exemstsc.exe

pid	process
4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
1016	vbc.exe
1016	vbc.exe
1016	vbc.exe
1016	vbc.exe
1016	vbc.exe
1016	vbc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe
2784	mstsc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

vbc.exemstsc.exe

pid process

1016 vbc.exe
1016 vbc.exe
1016 vbc.exe
1016 vbc.exe
2784 mstsc.exe
2784 mstsc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exevbc.exemstsc.exe

description pid process

Token: SeDebugPrivilege 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
Token: SeDebugPrivilege 1016 vbc.exe
Token: SeDebugPrivilege 2784 mstsc.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Explorer.EXE

pid process

3460 Explorer.EXE
3460 Explorer.EXE
3460 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Explorer.EXE

pid process

3460 Explorer.EXE
3460 Explorer.EXE
3460 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3460 Explorer.EXE

pid	process
1016	vbc.exe
1016	vbc.exe
1016	vbc.exe
1016	vbc.exe
2784	mstsc.exe
2784	mstsc.exe

description	pid	process
Token: SeDebugPrivilege	4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
Token: SeDebugPrivilege	1016	vbc.exe
Token: SeDebugPrivilege	2784	mstsc.exe

pid	process
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE

pid	process
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE

pid	process
3460	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ab494f466a82dd77680845c90d3d374d_JaffaCakes118.execsc.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 4188 wrote to memory of 1236	4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	csc.exe
PID 4188 wrote to memory of 1236	4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	csc.exe
PID 4188 wrote to memory of 1236	4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	csc.exe
PID 1236 wrote to memory of 4248	1236	csc.exe	cvtres.exe
PID 1236 wrote to memory of 4248	1236	csc.exe	cvtres.exe
PID 1236 wrote to memory of 4248	1236	csc.exe	cvtres.exe
PID 4188 wrote to memory of 1016	4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 4188 wrote to memory of 1016	4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 4188 wrote to memory of 1016	4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 4188 wrote to memory of 1016	4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 4188 wrote to memory of 1016	4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 4188 wrote to memory of 1016	4188	ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe	vbc.exe
PID 3460 wrote to memory of 2784	3460	Explorer.EXE	mstsc.exe
PID 3460 wrote to memory of 2784	3460	Explorer.EXE	mstsc.exe
PID 3460 wrote to memory of 2784	3460	Explorer.EXE	mstsc.exe
PID 2784 wrote to memory of 3260	2784	mstsc.exe	cmd.exe
PID 2784 wrote to memory of 3260	2784	mstsc.exe	cmd.exe
PID 2784 wrote to memory of 3260	2784	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3460

C:\Users\Admin\AppData\Local\Temp\ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ntooscit\ntooscit.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B5E.tmp" "c:\Users\Admin\AppData\Local\Temp\ntooscit\CSC278CE189450C4205A6FBC56F51FB3F7D.TMP"
4⤵
PID:4248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:3260

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5B5E.tmp
Filesize
1KB

MD5
a5b2a1e8c841860826d39fab97448d3c

SHA1
5f0e0113dcf29ae210a365cc1d68dd1723c73fd7

SHA256
cf3de572fceaf492ed7a7f91c9e6f9cbeeda43cc7c404627231973836c9f42f5

SHA512
99751a2b4884ac0f053cf9401e506672a03f847562bec4b2c77c7619ba2efb04e0c2c9518aba203d2b5ec997d8732530ca40f4c7eb7dc1b740c6a777fa0f791e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntooscit\ntooscit.dll
Filesize
11KB

MD5
b251bc23de21bb27e804533c86435691

SHA1
e8ea2b38cacc57e6ccc9c77330e10151b4df72c5

SHA256
1d53dcb85f9538b2df4c1668b8f39e13932f72d0d15b01e1561986c2e0b1c4e5

SHA512
69974c7a52b0147249e8ebeec7ad282f722a9b83cdcb34e96d8673ff11f0f180d1e8dbf70325948340f65d990681776bde186617e1eca5b31af7d6c60564f63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntooscit\ntooscit.pdb
Filesize
37KB

MD5
49cf50566a1e06f06a59e4edc2695c5d

SHA1
c0ef38f8c388adee1fc5c9d296ca363e7c55fcbc

SHA256
d3adb8af30f340185672e362ac2d0102893257bc3f7991a8804cc7a86b6fd986

SHA512
69386c4d2a1c07461cec2732481aec2127a494cd0b7804e6bc6458f2f34abd3edbe43da7f0a361a6a3c6071f43040f06fe80446f6edcf2ab0e85569ae62ac4a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ntooscit\CSC278CE189450C4205A6FBC56F51FB3F7D.TMP
Filesize
1KB

MD5
3e73ee089221828ef3bdd53819baaef1

SHA1
9cd2708c96df8856717877e673723e99cef62607

SHA256
d312a73552859ba9a2faa7505c715e6a282017446a7fdb88bdce602b32a38c6a

SHA512
9d4b828580a4857d9be7819351fbf0d653afa84a9002cede25a961cf96f57c8b5526a8948c92c650f0c319cbe90738a9e9c6b6f85704a4eeddaa481dce2e38f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ntooscit\ntooscit.0.cs
Filesize
17KB

MD5
b7252c18bbd3a3e6d46029d8382ab393

SHA1
501c7f88aec9f9f4538fa93bb54eae348480799a

SHA256
4694c04c73c327d616a7f9c525eafebb3a067bcde43a3d9bc37dfda77d185d0d

SHA512
3ae60e94fc7bd96e842f6926c7e6adeccde08b959b43bc8ae7163ec8ba7d83203e1a8269d4ea4f339040d6a65a08b3e2dbc1dcc854b9e6912e426897436dc071

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ntooscit\ntooscit.cmdline
Filesize
312B

MD5
2c7780dab3b7e356945efcd2904f8220

SHA1
075e45f6f4936c2bb2cf7a0b980bfd7c84047ad4

SHA256
c68e0ca4967eb005a64571acaa3279b1b1493ac1aba7c5e5120b1eeb9321a9eb

SHA512
83f92d2811fc7fbb218da5089505d460b0925f4da35d0f5609fc2ff0292467c1abe853442398f03c0be4195bedd61cf7360acaeb95f9b0c28d80f1c305c5edd2

Download Submit
memory/1016-30-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1016-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1016-32-0x0000000000430000-0x00000000004F9000-memory.dmp

Filesize
804KB

Download
memory/2784-33-0x0000000000FA0000-0x00000000010DA000-memory.dmp

Filesize
1.2MB

Download
memory/2784-36-0x0000000000FA0000-0x00000000010DA000-memory.dmp

Filesize
1.2MB

Download
memory/3460-28-0x00000000036D0000-0x0000000003813000-memory.dmp

Filesize
1.3MB

Download
memory/3460-42-0x0000000009340000-0x00000000093FE000-memory.dmp

Filesize
760KB

Download
memory/3460-40-0x0000000009620000-0x00000000097B2000-memory.dmp

Filesize
1.6MB

Download
memory/3460-39-0x00000000036D0000-0x0000000003813000-memory.dmp

Filesize
1.3MB

Download
memory/3460-31-0x0000000009620000-0x00000000097B2000-memory.dmp

Filesize
1.6MB

Download
memory/4188-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/4188-19-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/4188-1-0x0000000000E00000-0x0000000000E44000-memory.dmp

Filesize
272KB

Download
memory/4188-5-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4188-17-0x00000000016E0000-0x00000000016EA000-memory.dmp

Filesize
40KB

Download
memory/4188-23-0x0000000005F30000-0x0000000005FCC000-memory.dmp

Filesize
624KB

Download
memory/4188-37-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4188-22-0x0000000005CB0000-0x0000000005CDA000-memory.dmp

Filesize
168KB

Download
memory/4188-21-0x0000000003320000-0x000000000332C000-memory.dmp

Filesize
48KB

Download
memory/4188-20-0x0000000005C70000-0x0000000005CAA000-memory.dmp

Filesize
232KB

Download