formbook | 76c5f5e72040b7558eb45e8bf87a551f7ccbd67440b4b7ede1a62e579f69f4de

Analysis

max time kernel
138s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
Size

578KB
MD5

b745c75293702c7e47b3c1cafea29d65
SHA1

51b09d18da82e065b48e79c8ca1a53a00219b62c
SHA256

76c5f5e72040b7558eb45e8bf87a551f7ccbd67440b4b7ede1a62e579f69f4de
SHA512

9eb5d3952a60e094fb370b9f479a6c1a7cdc7fe9d0f3ea445c4e76750f829b819e628c396b31343833e03584882ecfc0676ee3a9f92e90b53600cb5cde6ddc26
SSDEEP

12288:tS2a83T3IKwfUu2iKepGZIHsgEUkVyn3TcWItO:tVd3TYr6IpGJgTwynjcW8O

Score

10^/10

formbook el agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

visioncorp.biz

ligriefrelief.com

yadtika.com

tradiscovery.com

merrittandstyle.com

tongcheng.ltd

omclove.com

gronnbygg.com

mragenciesindia.com

14u4.com

thewatchmart.online

urlaubsvideos.net

fmud.ltd

500proxy.online

nisargsangitagrotourism.com

qyygame.com

childhaus.com

431opebet.com

nlpu4n8r41.biz

phoebus-tech.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/1544-8-0x0000000000400000-0x000000000042A000-memory.dmp formbook
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral2/memory/3832-6-0x0000000005900000-0x0000000005914000-memory.dmp agile_net
Suspicious use of SetThreadContext 1 IoCs

Processes:

b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe

description pid process target process

PID 3832 set thread context of 1544 3832 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe

pid process

1544 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
1544 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 3832 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe

resource	yara_rule
behavioral2/memory/1544-8-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

resource	yara_rule
behavioral2/memory/3832-6-0x0000000005900000-0x0000000005914000-memory.dmp	agile_net

description	pid	process	target process
PID 3832 set thread context of 1544	3832	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe

pid	process
1544	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
1544	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3832	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe

description	pid	process	target process
PID 3832 wrote to memory of 1544	3832	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
PID 3832 wrote to memory of 1544	3832	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
PID 3832 wrote to memory of 1544	3832	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
PID 3832 wrote to memory of 1544	3832	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
PID 3832 wrote to memory of 1544	3832	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
PID 3832 wrote to memory of 1544	3832	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe	b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\Temp\b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1300,i,8660989700097327804,17931739887231169645,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8
1⤵
PID:668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1544-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1544-11-0x00000000012B0000-0x00000000015FA000-memory.dmp

Filesize
3.3MB

Download
memory/3832-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/3832-1-0x0000000000E90000-0x0000000000F26000-memory.dmp

Filesize
600KB

Download
memory/3832-2-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/3832-3-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/3832-4-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/3832-5-0x00000000058E0000-0x00000000058EA000-memory.dmp

Filesize
40KB

Download
memory/3832-6-0x0000000005900000-0x0000000005914000-memory.dmp

Filesize
80KB

Download
memory/3832-7-0x0000000006FF0000-0x000000000708C000-memory.dmp

Filesize
624KB

Download
memory/3832-10-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download