formbook | d3f52b04b3bef1998a713fecaedd72571949ff4e62e83f54896a42e6e26582e7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe
Size

408KB
MD5

b45cd50bd3d5db6cb3e5889b960fdfb7
SHA1

c45485a4eb8211269e1897ee018fb6d181744976
SHA256

d3f52b04b3bef1998a713fecaedd72571949ff4e62e83f54896a42e6e26582e7
SHA512

754b5c5d8228e0843d091613183bf4cf58b01088d88404196368ec040837cfb594b677c07b0d1b915937b2838b06af680471bf342bbac62dca442fd1b9f6803d
SSDEEP

6144:lcN+ZQW4GQUa7gLASsKOp4Wk2p4X1iPA8tPVPVahgxzKYLBeqxRp37B:+YCBUdUHp4Wk2pAUPoM11eUZ

Score

10^/10

formbook cu rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

auditingforgood.com

frndcoin.com

thisroadcycling.com

vjchicken.com

justinemendes.com

64nvnv.com

lisaardinnisfree.com

yacht2cruise.com

matkailuautohelsinki.com

com-unlock-privatesb.info

prostor-seo.com

weldesignscompany.com

regalrebel.love

absolutesecurityco.com

kuashidaisc.com

projectfelicity.com

network-security-alert.site

beginnerconcepts.com

beautyallabout.com

hanbanuo.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/3540-2-0x0000000000400000-0x0000000000466000-memory.dmp formbook
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe

pid process

3540 b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe
3540 b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe

pid process

3540 b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe
3540 b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe

pid process

3540 b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe
3540 b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe

pid process

3540 b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe

resource	yara_rule
behavioral2/memory/3540-2-0x0000000000400000-0x0000000000466000-memory.dmp	formbook

pid	process
3540	b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe
3540	b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe

pid	process
3540	b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe
3540	b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe

pid	process
3540	b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe
3540	b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe

pid	process
3540	b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b45cd50bd3d5db6cb3e5889b960fdfb7_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3540-3-0x0000000077441000-0x0000000077561000-memory.dmp

Filesize
1.1MB

Download
memory/3540-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3540-4-0x000000000BF30000-0x000000000C27A000-memory.dmp

Filesize
3.3MB

Download