formbook | 1517b72d950951e2a53e5881d9f72ef224128454d1bf4ad28afbbee341787e9c

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe
Size

892KB
MD5

156a8f3ff2daa772e183f33d03542088
SHA1

d5c5d9adc26f34f357bbbc04b76db5589154c096
SHA256

1517b72d950951e2a53e5881d9f72ef224128454d1bf4ad28afbbee341787e9c
SHA512

bf19dacebe4ca845683f2a0e63e03df6d93619ab8eecc7971b4554c48bbd03e0f4c796c635268261110be4d718dc8163a11c208e9d27bffacd29a8d8bf801f25
SSDEEP

12288:xLfmbbfGD5BroDcsIE++hSpk6L1S3Yp+vpVhd5FhM1wVTMsMz4AJ3sPerFfBL2qJ:xLfmbbfirrts4+ApkmAYp+vdFRtT8

Score

10^/10

formbook gbl rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gbl

Decoy

dx268.com

textbot4you.com

critictable.com

fsclub.info

order-review.com

tkgenergy.com

contavip.info

fashionests.com

sieromart.com

miamimobiletesting.com

oxforhabits.com

yugoslavilk.online

inieenterprises.com

bythebucketfranchise.com

parcelified.com

signalcyclers.com

starryeyedproject.com

proteacherstore.com

horos.tech

bovadaracebook.sucks

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/4324-13-0x0000000000400000-0x000000000042E000-memory.dmp formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe

description pid process target process

PID 64 set thread context of 4324 64 156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe 156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe

pid process

4324 156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe
4324 156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe

resource	yara_rule
behavioral2/memory/4324-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

description	pid	process	target process
PID 64 set thread context of 4324	64	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe

pid	process
4324	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe
4324	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe

description	pid	process	target process
PID 64 wrote to memory of 4324	64	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe
PID 64 wrote to memory of 4324	64	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe
PID 64 wrote to memory of 4324	64	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe
PID 64 wrote to memory of 4324	64	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe
PID 64 wrote to memory of 4324	64	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe
PID 64 wrote to memory of 4324	64	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe	156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:64

C:\Users\Admin\AppData\Local\Temp\156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\156a8f3ff2daa772e183f33d03542088_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-8-0x0000000008430000-0x0000000008784000-memory.dmp

Filesize
3.3MB

Download
memory/64-6-0x0000000002DA0000-0x0000000002DAA000-memory.dmp

Filesize
40KB

Download
memory/64-2-0x0000000007830000-0x00000000078CC000-memory.dmp

Filesize
624KB

Download
memory/64-3-0x0000000007E80000-0x0000000008424000-memory.dmp

Filesize
5.6MB

Download
memory/64-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/64-5-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/64-1-0x00000000008B0000-0x0000000000994000-memory.dmp

Filesize
912KB

Download
memory/64-7-0x00000000078D0000-0x0000000007926000-memory.dmp

Filesize
344KB

Download
memory/64-4-0x0000000007970000-0x0000000007A02000-memory.dmp

Filesize
584KB

Download
memory/64-9-0x0000000007C60000-0x0000000007C6A000-memory.dmp

Filesize
40KB

Download
memory/64-10-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/64-11-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/64-12-0x0000000007E10000-0x0000000007E7C000-memory.dmp

Filesize
432KB

Download
memory/64-15-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4324-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4324-16-0x0000000000FE0000-0x000000000132A000-memory.dmp

Filesize
3.3MB

Download