formbook | 4d0418d6ed89ac0dd6a7be7b8b73fbf85d69e0823ce8e392398b3ad005d5839f

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe
Size

659KB
MD5

20ce27d410e9cb9d9ac96ab615e607c6
SHA1

1132b5764975577b8f26c8b3cf9b2b17aa51a095
SHA256

4d0418d6ed89ac0dd6a7be7b8b73fbf85d69e0823ce8e392398b3ad005d5839f
SHA512

f6c9433178e992feaef4f36807dee4cb2e19e268284f5cb8515b4b217e23aff3c1e35d8ac5fe20908ee4e4d3341e7e7a8cc0dd91af0a7d837d244c5481c6f4b8
SSDEEP

12288:gYxBYG+2AM0TFoei0W+7Bt7NNdO9AbrPJnwJo6UWa3urQ:dxBYiWSe2oBt7Nu23cmWG

Score

10^/10

formbook gbl rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gbl

Decoy

dx268.com

textbot4you.com

critictable.com

fsclub.info

order-review.com

tkgenergy.com

contavip.info

fashionests.com

sieromart.com

miamimobiletesting.com

oxforhabits.com

yugoslavilk.online

inieenterprises.com

bythebucketfranchise.com

parcelified.com

signalcyclers.com

starryeyedproject.com

proteacherstore.com

horos.tech

bovadaracebook.sucks

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/2512-13-0x0000000000400000-0x000000000042E000-memory.dmp formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe

description pid process target process

PID 2236 set thread context of 2512 2236 20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe 20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe

pid process

2512 20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe

resource	yara_rule
behavioral1/memory/2512-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

description	pid	process	target process
PID 2236 set thread context of 2512	2236	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe

pid	process
2512	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe

description	pid	process	target process
PID 2236 wrote to memory of 2512	2236	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe
PID 2236 wrote to memory of 2512	2236	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe
PID 2236 wrote to memory of 2512	2236	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe
PID 2236 wrote to memory of 2512	2236	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe
PID 2236 wrote to memory of 2512	2236	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe
PID 2236 wrote to memory of 2512	2236	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe
PID 2236 wrote to memory of 2512	2236	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe	20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20ce27d410e9cb9d9ac96ab615e607c6_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2512

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2236-6-0x0000000004F80000-0x0000000004FE4000-memory.dmp

Filesize
400KB

Download
memory/2236-1-0x0000000010400000-0x00000000104AA000-memory.dmp

Filesize
680KB

Download
memory/2236-2-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-3-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/2236-4-0x000000007425E000-0x000000007425F000-memory.dmp

Filesize
4KB

Download
memory/2236-5-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-0-0x000000007425E000-0x000000007425F000-memory.dmp

Filesize
4KB

Download
memory/2236-14-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2512-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2512-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2512-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2512-15-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download