formbook | d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476

General

Target

183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
Size

942KB
MD5

183a8b19a056c944237876bea31a697c
SHA1

c11f5484af3e4d8e34c35a7b7363078b0f23e079
SHA256

d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476
SHA512

29821c783a90ffbeca765cb50e178fa772acc78b22b23490e7329b8b406cd6184e65359a24c068b3ac30936410b1a7920ed393b08ee2bb9e34fd81604eed89b6
SSDEEP

12288:GO4jeQ5jsruJH+ReJqvqfLRXwK4+HNONnvsyl9vai2K046Mnq0UnsO5lJkKzUvoc:XHBQLW10ergut8+VuRHPXWMj

Score

10^/10

formbook rf3t rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rf3t

Decoy

palmettohomeswakulla.com

sorelleapparel.com

abouttohour.com

ogrownhemp.com

themontagnard.com

zarioch.space

lty712.info

ajdstone.com

600plusgymspa.com

schmitzland.com

luhuigw.com

mysafeplacetoinsure.com

barkpark.club

investigation-science.com

sermonartnotes.net

gorgeousflippinllc.com

smarttrendshop.com

markusjungfoto.com

glyzaelbol.info

thewiseowl.art

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/4192-17-0x0000000000400000-0x000000000042F000-memory.dmp formbook
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

description pid process target process

PID 3900 set thread context of 4192 3900 183a8b19a056c944237876bea31a697c_JaffaCakes118.exe 183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4008 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

183a8b19a056c944237876bea31a697c_JaffaCakes118.exe183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

pid process

3900 183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
4192 183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
4192 183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 3900 183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

resource	yara_rule
behavioral2/memory/4192-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

description	pid	process	target process
PID 3900 set thread context of 4192	3900	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

pid	process
4008	schtasks.exe

pid	process
3900	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
4192	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
4192	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3900	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

description	pid	process	target process
PID 3900 wrote to memory of 4008	3900	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	schtasks.exe
PID 3900 wrote to memory of 4008	3900	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	schtasks.exe
PID 3900 wrote to memory of 4008	3900	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	schtasks.exe
PID 3900 wrote to memory of 4192	3900	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
PID 3900 wrote to memory of 4192	3900	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
PID 3900 wrote to memory of 4192	3900	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
PID 3900 wrote to memory of 4192	3900	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
PID 3900 wrote to memory of 4192	3900	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
PID 3900 wrote to memory of 4192	3900	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe	183a8b19a056c944237876bea31a697c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\183a8b19a056c944237876bea31a697c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKyccEisJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAA98.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Users\Admin\AppData\Local\Temp\183a8b19a056c944237876bea31a697c_JaffaCakes118.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4192

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAA98.tmp
Filesize
1KB

MD5
7e2a1618f26e2968b56e999d5a011ca5

SHA1
6af136cf5c6c7d5685a20180b4a1db32f62cf43a

SHA256
510cc1ffaf7a05f3ccd9777b4fc2d5c9ad6ef234db8b549258a22caf340c49ae

SHA512
73adc61c0ed4c445986e07c7df34c154cf593ecc63c28a8b3150761d7920131d14af3b5becebe7d63b8a8eb7ab9d4e10f8421cd4a38d883a0b8bd12f264a0de8

Download Submit
memory/3900-8-0x0000000004BE0000-0x0000000004C02000-memory.dmp

Filesize
136KB

Download
memory/3900-5-0x0000000004A60000-0x0000000004A6A000-memory.dmp

Filesize
40KB

Download
memory/3900-9-0x0000000004400000-0x0000000004414000-memory.dmp

Filesize
80KB

Download
memory/3900-4-0x0000000004AE0000-0x0000000004B72000-memory.dmp

Filesize
584KB

Download
memory/3900-10-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/3900-6-0x0000000004B80000-0x0000000004BD6000-memory.dmp

Filesize
344KB

Download
memory/3900-7-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/3900-11-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/3900-3-0x0000000004FF0000-0x0000000005594000-memory.dmp

Filesize
5.6MB

Download
memory/3900-2-0x00000000049A0000-0x0000000004A3C000-memory.dmp

Filesize
624KB

Download
memory/3900-0-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/3900-12-0x0000000006210000-0x00000000062B4000-memory.dmp

Filesize
656KB

Download
memory/3900-13-0x0000000005DA0000-0x0000000005DF6000-memory.dmp

Filesize
344KB

Download
memory/3900-1-0x0000000000050000-0x0000000000142000-memory.dmp

Filesize
968KB

Download
memory/3900-19-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/4192-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-20-0x0000000001050000-0x000000000139A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing