formbook | 1c761d2f1d96caf7adfd8d3ff3ffe5115bd9c870f3942874f11505667526df3a

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe
Size

536KB
MD5

b721de24bb88a9fb9ae36f96b5ba899d
SHA1

8ec7af6d279cd2280533ebfb211024c6088775a4
SHA256

1c761d2f1d96caf7adfd8d3ff3ffe5115bd9c870f3942874f11505667526df3a
SHA512

b0ed2c65898175622f8b742c1af6a9f2794182d0789d6bba3887441b2eb803472cc831e10c1d2de9752f4ea86dd659a79a9fcba319bd92b7723ad3678af2077e
SSDEEP

12288:LAv4NKgAC01fLLrHWNqVhr5g/LbRnRVrIA:HnSLrHgcy/fVz

Score

10^/10

formbook j1 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

559015.top

itwasntscalable.com

butteredcrumb.com

3124kk.com

boxerar.com

myk33.com

transitionwithtiffany.com

whitfielddiffie.com

youjieyuwang.com

nw2hl.info

calderas-profesionales.com

scoreoutlook.com

haloukaka.com

mysosdoctor.com

sologoods.com

thehonestcannabist.com

litlight.online

diodkm.ink

mojilifemedia.com

774opebet.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/2928-4-0x0000000000400000-0x000000000048B000-memory.dmp formbook
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe

pid process

2928 b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe

pid process

2928 b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe
2928 b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe

pid process

2928 b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe
2928 b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe

pid process

2928 b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe

resource	yara_rule
behavioral1/memory/2928-4-0x0000000000400000-0x000000000048B000-memory.dmp	formbook

pid	process
2928	b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe

pid	process
2928	b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe
2928	b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe

pid	process
2928	b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe
2928	b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe

pid	process
2928	b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b721de24bb88a9fb9ae36f96b5ba899d_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2928

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2928-2-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2928-3-0x0000000076F91000-0x0000000077092000-memory.dmp

Filesize
1.0MB

Download
memory/2928-4-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2928-5-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/2928-7-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2928-8-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download