formbook | 79f878be696492904510496633fcdc7458f7b2e2efb373f7d097b2276a708e51

General

Target

74291.exe
Size

638KB
MD5

d4f369f573c973d833f5060c6b80e929
SHA1

1ef7c6cf58b39dba64d282d701f5992acfae830e
SHA256

79f878be696492904510496633fcdc7458f7b2e2efb373f7d097b2276a708e51
SHA512

e57e29b18f75b94445fa732aac2c31a1d30bb2011442b2736073bdabd12949d057bcae7f340f6f26619e70e86cc95a099fca4cb3a654880c6189f30901e6cdae
SSDEEP

12288:C2N8jiZ4zypIPEtPplTY6RhKuEX1n+sDUyHVCw0VkKL3QXtzx/yffqx:C2N8jiZ4zypIPEJTDE/X1n+iUy1Cwogo

Score

10^/10

formbook a2e2 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a2e2

Decoy

emptylegtrip.com

figge.shop

euro-easy-capital.com

coinsbaseotc.com

midnight-iohk.net

cweas.online

pennymanning.net

shiehkids.net

undawear.africa

aheartfelttouch.com

attorneycaraccidents.net

colourkodedllc.com

love2lovebeautifulpleasures.com

loan-fha-now.com

mdc-shop.net

chooselifeministriescenter.com

oliverhodkinson.co.uk

data-link.site

foxton.store

dongtay.group

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1500-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1500-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1364-73-0x0000000000070000-0x000000000009F000-memory.dmp	formbook
behavioral1/memory/1364-75-0x0000000000070000-0x000000000009F000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
1332	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 1500	1444	74291.exe	28
PID 1500 set thread context of 1264	1500	74291.exe	14
PID 1364 set thread context of 1264	1364	cscript.exe	14

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1444	74291.exe
1444	74291.exe
1444	74291.exe
1444	74291.exe
1444	74291.exe
1444	74291.exe
1500	74291.exe
1500	74291.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe
1364	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1500	74291.exe
1500	74291.exe
1500	74291.exe
1364	cscript.exe
1364	cscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	74291.exe
Token: SeDebugPrivilege	1500	74291.exe
Token: SeDebugPrivilege	1364	cscript.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1500	1444	74291.exe	28
PID 1444 wrote to memory of 1500	1444	74291.exe	28
PID 1444 wrote to memory of 1500	1444	74291.exe	28
PID 1444 wrote to memory of 1500	1444	74291.exe	28
PID 1444 wrote to memory of 1500	1444	74291.exe	28
PID 1444 wrote to memory of 1500	1444	74291.exe	28
PID 1444 wrote to memory of 1500	1444	74291.exe	28
PID 1264 wrote to memory of 1364	1264	Explorer.EXE	29
PID 1264 wrote to memory of 1364	1264	Explorer.EXE	29
PID 1264 wrote to memory of 1364	1264	Explorer.EXE	29
PID 1264 wrote to memory of 1364	1264	Explorer.EXE	29
PID 1364 wrote to memory of 1332	1364	cscript.exe	30
PID 1364 wrote to memory of 1332	1364	cscript.exe	30
PID 1364 wrote to memory of 1332	1364	cscript.exe	30
PID 1364 wrote to memory of 1332	1364	cscript.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\74291.exe
  "C:\Users\Admin\AppData\Local\Temp\74291.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\74291.exe
    "C:\Users\Admin\AppData\Local\Temp\74291.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\74291.exe"
    3⤵
    - Deletes itself
    PID:1332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1264-70-0x0000000006950000-0x0000000006AC1000-memory.dmp

Filesize
1.4MB

Download
memory/1264-83-0x00000000070C0000-0x0000000007217000-memory.dmp

Filesize
1.3MB

Download
memory/1264-80-0x00000000070C0000-0x0000000007217000-memory.dmp

Filesize
1.3MB

Download
memory/1264-79-0x00000000070C0000-0x0000000007217000-memory.dmp

Filesize
1.3MB

Download
memory/1264-77-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1264-66-0x0000000003DE0000-0x0000000003FE0000-memory.dmp

Filesize
2.0MB

Download
memory/1364-78-0x0000000000580000-0x0000000000613000-memory.dmp

Filesize
588KB

Download
memory/1364-75-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/1364-74-0x0000000002400000-0x0000000002703000-memory.dmp

Filesize
3.0MB

Download
memory/1364-73-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/1364-72-0x0000000000FD0000-0x0000000000FF2000-memory.dmp

Filesize
136KB

Download
memory/1364-71-0x0000000000FD0000-0x0000000000FF2000-memory.dmp

Filesize
136KB

Download
memory/1444-60-0x0000000002000000-0x0000000002038000-memory.dmp

Filesize
224KB

Download
memory/1444-54-0x0000000000B10000-0x0000000000BB6000-memory.dmp

Filesize
664KB

Download
memory/1444-55-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1444-56-0x00000000005D0000-0x00000000005DE000-memory.dmp

Filesize
56KB

Download
memory/1444-57-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1444-58-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1444-59-0x0000000005140000-0x00000000051B0000-memory.dmp

Filesize
448KB

Download
memory/1500-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1500-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-69-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/1500-67-0x0000000000BC0000-0x0000000000EC3000-memory.dmp

Filesize
3.0MB

Download
memory/1500-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing