formbook | 414981248ce4add440d42b94db54d8badb3c6292531c7fc41f2a598720f61403

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
Size

631KB
MD5

afa1f1e2431e946dabc785135bb49796
SHA1

bdc5d91a7055fe531cbc37969427db58bb954508
SHA256

414981248ce4add440d42b94db54d8badb3c6292531c7fc41f2a598720f61403
SHA512

c593f6eb4ec9c9287a72d38f8bf51abbc8520e9ac4ad92c3f8dab52126c06c2346aeac9448b5b3d1914cd1694145db8400568ff2e071ea71286e2743c7bd25ab
SSDEEP

12288:eE5TvcnBI9m5Xq+geZ7KM7XYrveJ/8kprLT3hYOeSOm+:eqcBI9m5IeNr7XYrWJZ/32OeSOt

Score

10^/10

formbook bs rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

qiancheng.ink

smyeoii.win

bluelightscampaign.com

partemail.site

xn--nckd9a8e8d.com

sharpart.net

customillusionsstl.com

else-marketing.com

thetaxglossary.com

ubaiyi.com

gihkf.com

rajshahishoppers.com

thekinasihbogor.com

paintstracts.com

veraspirits.com

1500pe.com

mv7on.com

masstortlitigator.com

simonsem.com

booker-media.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/4200-9-0x0000000000400000-0x000000000042A000-memory.dmp formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe

description pid process target process

PID 2388 set thread context of 4200 2388 afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe

resource	yara_rule
behavioral2/memory/4200-9-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

description	pid	process	target process
PID 2388 set thread context of 4200	2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exeafa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe

pid	process
2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
4200	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
4200	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe

pid process

2388 afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe

description	pid	process	target process
PID 2388 wrote to memory of 4200	2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
PID 2388 wrote to memory of 4200	2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
PID 2388 wrote to memory of 4200	2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
PID 2388 wrote to memory of 4200	2388	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe	afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\afa1f1e2431e946dabc785135bb49796_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4312 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2388-0-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2388-1-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2388-2-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2388-6-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2388-5-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2388-4-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2388-3-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2388-8-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2388-7-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/4200-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download