formbook | 40a35fc445ad1fc7075970dc0f3d650ca1acceda71bf4d882e7403e3ef2b2896

Analysis

max time kernel
52s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
Size

803KB
MD5

b1476a5884e12126481a80a2342a71c5
SHA1

2e3d833cff9ce52aa215fbb3f05be770ccfaea8a
SHA256

40a35fc445ad1fc7075970dc0f3d650ca1acceda71bf4d882e7403e3ef2b2896
SHA512

660150236f91c95369f2fc9d1af3880d210512bacd9856c68a087ac24d15923a0a711413f068e1566617529656ad70e290f7d8f34fcfa92c9ca1354f817ae5db
SSDEEP

6144:EpEc6LLqTnBsutsDn4Bn0lJe38COv8XmTjkLm8nfsxF7wjim/vhcJvJwbZz:EyPL+D6700lWM82vkLnfOOim31bZ

Score

10^/10

formbook dg1 agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

dg1

Decoy

pilatesmania.life

5bcoin.com

ammowillcall.com

quickwinz.market

terigele.com

sohotoken.com

tielingwww.site

lz2b3.info

norisc.com

digitalkonsultan.com

925manbetx.com

laricipark.com

quantum7nutrition.com

xceedcg.com

hanagel.com

cane91.download

iotadocker.com

brackenupholstery.com

erfolg-sichern.online

bihuorg.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/400-7-0x0000000000400000-0x000000000042A000-memory.dmp formbook
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral2/memory/3740-2-0x0000000002820000-0x0000000002848000-memory.dmp agile_net
Suspicious use of SetThreadContext 1 IoCs

Processes:

b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

description pid process target process

PID 3740 set thread context of 400 3740 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

pid process

400 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
400 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 3740 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

resource	yara_rule
behavioral2/memory/400-7-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

resource	yara_rule
behavioral2/memory/3740-2-0x0000000002820000-0x0000000002848000-memory.dmp	agile_net

description	pid	process	target process
PID 3740 set thread context of 400	3740	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

pid	process
400	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
400	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3740	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

description	pid	process	target process
PID 3740 wrote to memory of 400	3740	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
PID 3740 wrote to memory of 400	3740	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
PID 3740 wrote to memory of 400	3740	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
PID 3740 wrote to memory of 400	3740	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
PID 3740 wrote to memory of 400	3740	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
PID 3740 wrote to memory of 400	3740	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe	b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:400

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/400-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/400-10-0x0000000001AA0000-0x0000000001DEA000-memory.dmp

Filesize
3.3MB

Download
memory/3740-0-0x000000007473E000-0x000000007473F000-memory.dmp

Filesize
4KB

Download
memory/3740-1-0x00000000004C0000-0x000000000058E000-memory.dmp

Filesize
824KB

Download
memory/3740-2-0x0000000002820000-0x0000000002848000-memory.dmp

Filesize
160KB

Download
memory/3740-3-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/3740-4-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/3740-5-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/3740-6-0x0000000005A70000-0x0000000005B0C000-memory.dmp

Filesize
624KB

Download
memory/3740-9-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download