formbook | 1f39e6a010f115acd80ff77f51014ec51c73add290d5377f8b3e13445761c77f

Analysis

max time kernel
93s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe
Size

413KB
MD5

afd99d61920e4ec13867a79c3b108d50
SHA1

6f40885b618fedc62b760fbcbbf142a2a271bdd0
SHA256

1f39e6a010f115acd80ff77f51014ec51c73add290d5377f8b3e13445761c77f
SHA512

907e8edce6998f471e185a1dda7cb39b7ded298641d4d942cede90731913a68eff2fab9f292d50318863b53b16ff10a407040952692aec1e15ce95756a4cfd6c
SSDEEP

6144:nf0IhhtpWXswZQUvAjXAYAabyAI4AeLa8xThl+un1cE/N45MuOI0pkxLR78GKlhc:bhtpWXx3E/NyB0SxLRNkU0fqmu7

Score

10^/10

formbook gmc rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gmc

Decoy

lidaisifang.com

allthatmarket.com

izebike.com

believers.community

redwtf.com

garageloftdesigns.com

flatfeerealtyjax.com

top7blog.com

isotopemimosa.win

turkiyeyedonuyorum.com

rennlaist.com

industryepidemics.com

ps2korea.com

gregoryoreilly.info

bestcheapoemsoftware.com

gudkar.com

soccer-scoring.com

noakhalaup.com

fusejs.com

sendereasy.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/3924-5-0x0000000000400000-0x000000000042D000-memory.dmp formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe

description pid process target process

PID 3196 set thread context of 3924 3196 afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe

pid process

3924 afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe
3924 afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe

resource	yara_rule
behavioral2/memory/3924-5-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

description	pid	process	target process
PID 3196 set thread context of 3924	3196	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe

pid	process
3924	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe
3924	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe

description	pid	process	target process
PID 3196 wrote to memory of 3924	3196	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe
PID 3196 wrote to memory of 3924	3196	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe
PID 3196 wrote to memory of 3924	3196	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe
PID 3196 wrote to memory of 3924	3196	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe
PID 3196 wrote to memory of 3924	3196	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe
PID 3196 wrote to memory of 3924	3196	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe	afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3196

C:\Users\Admin\AppData\Local\Temp\afd99d61920e4ec13867a79c3b108d50_JaffaCakes118.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3196-0-0x00000000750E2000-0x00000000750E3000-memory.dmp

Filesize
4KB

Download
memory/3196-1-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3196-2-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3196-3-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3196-4-0x00000000750E2000-0x00000000750E3000-memory.dmp

Filesize
4KB

Download
memory/3196-7-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3924-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3924-8-0x00000000011B0000-0x00000000014FA000-memory.dmp

Filesize
3.3MB

Download