formbook | 40a35fc445ad1fc7075970dc0f3d650ca1acceda71bf4d882e7403e3ef2b2896

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
Size

803KB
MD5

b1476a5884e12126481a80a2342a71c5
SHA1

2e3d833cff9ce52aa215fbb3f05be770ccfaea8a
SHA256

40a35fc445ad1fc7075970dc0f3d650ca1acceda71bf4d882e7403e3ef2b2896
SHA512

660150236f91c95369f2fc9d1af3880d210512bacd9856c68a087ac24d15923a0a711413f068e1566617529656ad70e290f7d8f34fcfa92c9ca1354f817ae5db
SSDEEP

6144:EpEc6LLqTnBsutsDn4Bn0lJe38COv8XmTjkLm8nfsxF7wjim/vhcJvJwbZz:EyPL+D6700lWM82vkLnfOOim31bZ

Score

10^/10

formbook dg1 agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

dg1

Decoy

pilatesmania.life

5bcoin.com

ammowillcall.com

quickwinz.market

terigele.com

sohotoken.com

tielingwww.site

lz2b3.info

norisc.com

digitalkonsultan.com

925manbetx.com

laricipark.com

quantum7nutrition.com

xceedcg.com

hanagel.com

cane91.download

iotadocker.com

brackenupholstery.com

erfolg-sichern.online

bihuorg.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/1800-11-0x0000000000080000-0x00000000000AA000-memory.dmp formbook
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral1/memory/2032-2-0x00000000002B0000-0x00000000002D8000-memory.dmp agile_net
Suspicious use of SetThreadContext 1 IoCs

Processes:

b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

description pid process target process

PID 2032 set thread context of 1800 2032 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

pid process

1800 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2032 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

resource	yara_rule
behavioral1/memory/1800-11-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook

resource	yara_rule
behavioral1/memory/2032-2-0x00000000002B0000-0x00000000002D8000-memory.dmp	agile_net

description	pid	process	target process
PID 2032 set thread context of 1800	2032	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

pid	process
1800	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2032	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

description	pid	process	target process
PID 2032 wrote to memory of 1800	2032	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
PID 2032 wrote to memory of 1800	2032	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
PID 2032 wrote to memory of 1800	2032	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
PID 2032 wrote to memory of 1800	2032	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
PID 2032 wrote to memory of 1800	2032	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
PID 2032 wrote to memory of 1800	2032	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
PID 2032 wrote to memory of 1800	2032	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-6-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1800-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1800-8-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1800-11-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1800-14-0x0000000000AA0000-0x0000000000DA3000-memory.dmp

Filesize
3.0MB

Download
memory/2032-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/2032-1-0x0000000000360000-0x000000000042E000-memory.dmp

Filesize
824KB

Download
memory/2032-2-0x00000000002B0000-0x00000000002D8000-memory.dmp

Filesize
160KB

Download
memory/2032-3-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2032-4-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2032-13-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download