formbook | f12df428fa830292897aabb6f73c5ecf96e855e278c3320e21e45629c84bf9ef

General

Target

084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe
Size

816KB
MD5

084d9c372d05fc7450a7acc2d730e40a
SHA1

e87fbc8d77a456d97cd0c7d8a1f69752f2ef50b0
SHA256

f12df428fa830292897aabb6f73c5ecf96e855e278c3320e21e45629c84bf9ef
SHA512

c3655b286f886b5665ec0dffcea84687046170b72add2a23f287ea8fd3df5cd7daeb402ab5d9af25b163bc454bfa0c30e7f39d2cbfa1dbc385b7575ff92e6dfb
SSDEEP

12288:AlNwTyzx+jxivZgVm2WCD1QbwBaYCQJVHmlZ:AlNwWN+jwZSm2ZivqJVHyZ

Score

10^/10

formbook dyt agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dyt

Decoy

tg0913.com

fhehsjeh.com

hoslergroup.com

bradfordsahm.com

dopefuse.com

4vrlwi.site

greyboxautomations.com

codedlock.com

manifester.guru

luckyvertical.com

marvitrans.net

blushinglips.wine

shreeshyamexporters.com

bkdn.xyz

susanenglert.net

caprichodigital20.com

reianswers.net

alejandrobrand.com

drsineadbeirne.com

dijitak.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 2 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/1880-18-0x0000000000400000-0x000000000042E000-memory.dmp formbook
behavioral1/memory/1880-24-0x0000000000400000-0x000000000042E000-memory.dmp formbook
Executes dropped EXE 1 IoCs

Processes:

AddInProcess32.exe

pid process

1880 AddInProcess32.exe
Loads dropped DLL 1 IoCs

Processes:

084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe

pid process

2376 084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral1/memory/2376-3-0x0000000000D30000-0x0000000000D58000-memory.dmp agile_net

resource	yara_rule
behavioral1/memory/1880-18-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1880-24-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

pid	process
1880	AddInProcess32.exe

resource	yara_rule
behavioral1/memory/2376-3-0x0000000000D30000-0x0000000000D58000-memory.dmp	agile_net

Suspicious use of SetThreadContext 3 IoCs

Processes:

084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exeAddInProcess32.exewlanext.exe

description	pid	process	target process
PID 2376 set thread context of 1880	2376	084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe	AddInProcess32.exe
PID 1880 set thread context of 1184	1880	AddInProcess32.exe	Explorer.EXE
PID 2652 set thread context of 1184	2652	wlanext.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exeAddInProcess32.exewlanext.exe

pid	process
2376	084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe
2376	084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe
1880	AddInProcess32.exe
1880	AddInProcess32.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe
2652	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

AddInProcess32.exewlanext.exe

pid process

1880 AddInProcess32.exe
1880 AddInProcess32.exe
1880 AddInProcess32.exe
2652 wlanext.exe
2652 wlanext.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exeAddInProcess32.exewlanext.exe

description pid process

Token: SeDebugPrivilege 2376 084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe
Token: SeDebugPrivilege 1880 AddInProcess32.exe
Token: SeDebugPrivilege 2652 wlanext.exe

pid	process
1880	AddInProcess32.exe
1880	AddInProcess32.exe
1880	AddInProcess32.exe
2652	wlanext.exe
2652	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	2376	084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe
Token: SeDebugPrivilege	1880	AddInProcess32.exe
Token: SeDebugPrivilege	2652	wlanext.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 2376 wrote to memory of 1880	2376	084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe	AddInProcess32.exe
PID 2376 wrote to memory of 1880	2376	084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe	AddInProcess32.exe
PID 2376 wrote to memory of 1880	2376	084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe	AddInProcess32.exe
PID 2376 wrote to memory of 1880	2376	084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe	AddInProcess32.exe
PID 2376 wrote to memory of 1880	2376	084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe	AddInProcess32.exe
PID 2376 wrote to memory of 1880	2376	084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe	AddInProcess32.exe
PID 2376 wrote to memory of 1880	2376	084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe	AddInProcess32.exe
PID 1184 wrote to memory of 2652	1184	Explorer.EXE	wlanext.exe
PID 1184 wrote to memory of 2652	1184	Explorer.EXE	wlanext.exe
PID 1184 wrote to memory of 2652	1184	Explorer.EXE	wlanext.exe
PID 1184 wrote to memory of 2652	1184	Explorer.EXE	wlanext.exe
PID 2652 wrote to memory of 2496	2652	wlanext.exe	cmd.exe
PID 2652 wrote to memory of 2496	2652	wlanext.exe	cmd.exe
PID 2652 wrote to memory of 2496	2652	wlanext.exe	cmd.exe
PID 2652 wrote to memory of 2496	2652	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\084d9c372d05fc7450a7acc2d730e40a_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:2496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
memory/1184-33-0x0000000004BD0000-0x0000000004CB6000-memory.dmp

Filesize
920KB

Download
memory/1184-23-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/1184-26-0x0000000004BD0000-0x0000000004CB6000-memory.dmp

Filesize
920KB

Download
memory/1880-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1880-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1880-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1880-25-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/1880-21-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1880-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1880-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2376-10-0x0000000000D20000-0x0000000000D26000-memory.dmp

Filesize
24KB

Download
memory/2376-0-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download
memory/2376-4-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2376-5-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download
memory/2376-20-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2376-9-0x0000000000D00000-0x0000000000D14000-memory.dmp

Filesize
80KB

Download
memory/2376-3-0x0000000000D30000-0x0000000000D58000-memory.dmp

Filesize
160KB

Download
memory/2376-2-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2376-7-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2376-6-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2376-1-0x00000000011B0000-0x0000000001282000-memory.dmp

Filesize
840KB

Download
memory/2652-29-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/2652-27-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads