formbook | bf84393caee9b769b516681ec8998afe26c22255c405ea9a027608ccf38ea36b

General

Target

13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
Size

823KB
MD5

13b21115bd414b3cff0365351398e92a
SHA1

8a017b7cfc0128c584b64cf8b531e9387a211858
SHA256

bf84393caee9b769b516681ec8998afe26c22255c405ea9a027608ccf38ea36b
SHA512

30681b65911dffd7091ef72e08f0e54197b4f153f89f77590e0d7f714b59066fb95e8861616f44cbcf01b15b148a69bf6dcb02207f73daf2a1ed0067fac0d309
SSDEEP

12288:oLXHsXw4voVatmZZgVm2WCDSZcWl76imBp4EmJi:QXHGTvcA4ZSm2ZymT4EmJi

Score

10^/10

formbook pep agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pep

Decoy

whitelabelgraphics.pro

futureguidefilms.com

mission-duplex.com

rutherealty.com

acehardwaremall.com

potenb.com

tbhawt.com

momentum-ip.group

m8sr8s.com

cfwagner.com

umiyama-eri.com

klantenvinden.com

simplycasd.com

visionhomerecruiting.com

inkjet-material.com

banking-aib.com

fast1performance.com

eventsbyja.com

breuer.network

smartecelectronics.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 2 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/2680-34-0x0000000000400000-0x000000000042E000-memory.dmp formbook
behavioral1/memory/2680-40-0x0000000000400000-0x000000000042E000-memory.dmp formbook
Executes dropped EXE 1 IoCs

Processes:

AddInProcess32.exe

pid process

2680 AddInProcess32.exe
Loads dropped DLL 1 IoCs

Processes:

13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe

pid process

624 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral1/memory/624-17-0x0000000000970000-0x0000000000998000-memory.dmp agile_net

resource	yara_rule
behavioral1/memory/2680-34-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2680-40-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

pid	process
2680	AddInProcess32.exe

resource	yara_rule
behavioral1/memory/624-17-0x0000000000970000-0x0000000000998000-memory.dmp	agile_net

Suspicious use of SetThreadContext 3 IoCs

Processes:

13b21115bd414b3cff0365351398e92a_JaffaCakes118.exeAddInProcess32.exewlanext.exe

description	pid	process	target process
PID 624 set thread context of 2680	624	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 2680 set thread context of 1360	2680	AddInProcess32.exe	Explorer.EXE
PID 2152 set thread context of 1360	2152	wlanext.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

13b21115bd414b3cff0365351398e92a_JaffaCakes118.exeAddInProcess32.exewlanext.exe

pid	process
624	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
624	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
2680	AddInProcess32.exe
2680	AddInProcess32.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe
2152	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

AddInProcess32.exewlanext.exe

pid process

2680 AddInProcess32.exe
2680 AddInProcess32.exe
2680 AddInProcess32.exe
2152 wlanext.exe
2152 wlanext.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

13b21115bd414b3cff0365351398e92a_JaffaCakes118.exeAddInProcess32.exewlanext.exe

description pid process

Token: SeDebugPrivilege 624 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
Token: SeDebugPrivilege 2680 AddInProcess32.exe
Token: SeDebugPrivilege 2152 wlanext.exe

pid	process
2680	AddInProcess32.exe
2680	AddInProcess32.exe
2680	AddInProcess32.exe
2152	wlanext.exe
2152	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	624	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
Token: SeDebugPrivilege	2680	AddInProcess32.exe
Token: SeDebugPrivilege	2152	wlanext.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

13b21115bd414b3cff0365351398e92a_JaffaCakes118.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 624 wrote to memory of 2680	624	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 624 wrote to memory of 2680	624	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 624 wrote to memory of 2680	624	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 624 wrote to memory of 2680	624	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 624 wrote to memory of 2680	624	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 624 wrote to memory of 2680	624	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 624 wrote to memory of 2680	624	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 1360 wrote to memory of 2152	1360	Explorer.EXE	wlanext.exe
PID 1360 wrote to memory of 2152	1360	Explorer.EXE	wlanext.exe
PID 1360 wrote to memory of 2152	1360	Explorer.EXE	wlanext.exe
PID 1360 wrote to memory of 2152	1360	Explorer.EXE	wlanext.exe
PID 2152 wrote to memory of 1352	2152	wlanext.exe	cmd.exe
PID 2152 wrote to memory of 1352	2152	wlanext.exe	cmd.exe
PID 2152 wrote to memory of 1352	2152	wlanext.exe	cmd.exe
PID 2152 wrote to memory of 1352	2152	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:1352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
memory/624-36-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/624-1-0x00000000011A0000-0x0000000001274000-memory.dmp

Filesize
848KB

Download
memory/624-2-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/624-17-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/624-18-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/624-19-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/624-20-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/624-21-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/624-23-0x0000000000860000-0x0000000000874000-memory.dmp

Filesize
80KB

Download
memory/624-24-0x0000000000FC0000-0x0000000000FC6000-memory.dmp

Filesize
24KB

Download
memory/624-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/1360-42-0x00000000045B0000-0x000000000468D000-memory.dmp

Filesize
884KB

Download
memory/1360-39-0x0000000003160000-0x0000000003260000-memory.dmp

Filesize
1024KB

Download
memory/1360-49-0x00000000045B0000-0x000000000468D000-memory.dmp

Filesize
884KB

Download
memory/2152-45-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download
memory/2152-43-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download
memory/2680-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2680-34-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2680-30-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2680-37-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/2680-41-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/2680-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2680-40-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads