formbook | 79f878be696492904510496633fcdc7458f7b2e2efb373f7d097b2276a708e51

General

Target

74291.exe
Size

638KB
MD5

d4f369f573c973d833f5060c6b80e929
SHA1

1ef7c6cf58b39dba64d282d701f5992acfae830e
SHA256

79f878be696492904510496633fcdc7458f7b2e2efb373f7d097b2276a708e51
SHA512

e57e29b18f75b94445fa732aac2c31a1d30bb2011442b2736073bdabd12949d057bcae7f340f6f26619e70e86cc95a099fca4cb3a654880c6189f30901e6cdae
SSDEEP

12288:C2N8jiZ4zypIPEtPplTY6RhKuEX1n+sDUyHVCw0VkKL3QXtzx/yffqx:C2N8jiZ4zypIPEJTDE/X1n+iUy1Cwogo

Score

10^/10

formbook a2e2 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a2e2

Decoy

emptylegtrip.com

figge.shop

euro-easy-capital.com

coinsbaseotc.com

midnight-iohk.net

cweas.online

pennymanning.net

shiehkids.net

undawear.africa

aheartfelttouch.com

attorneycaraccidents.net

colourkodedllc.com

love2lovebeautifulpleasures.com

loan-fha-now.com

mdc-shop.net

chooselifeministriescenter.com

oliverhodkinson.co.uk

data-link.site

foxton.store

dongtay.group

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/2400-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2400-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2400-151-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1260-153-0x0000000000340000-0x000000000036F000-memory.dmp	formbook
behavioral2/memory/1260-155-0x0000000000340000-0x000000000036F000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3812 set thread context of 2400	3812	74291.exe	91
PID 2400 set thread context of 3172	2400	74291.exe	39
PID 2400 set thread context of 3172	2400	74291.exe	39
PID 1260 set thread context of 3172	1260	colorcpl.exe	39

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
3812	74291.exe
3812	74291.exe
3812	74291.exe
3812	74291.exe
3812	74291.exe
3812	74291.exe
3812	74291.exe
2400	74291.exe
2400	74291.exe
2400	74291.exe
2400	74291.exe
2400	74291.exe
2400	74291.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe
1260	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3172	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2400	74291.exe
2400	74291.exe
2400	74291.exe
2400	74291.exe
1260	colorcpl.exe
1260	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	74291.exe
Token: SeDebugPrivilege	2400	74291.exe
Token: SeDebugPrivilege	1260	colorcpl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 2400	3812	74291.exe	91
PID 3812 wrote to memory of 2400	3812	74291.exe	91
PID 3812 wrote to memory of 2400	3812	74291.exe	91
PID 3812 wrote to memory of 2400	3812	74291.exe	91
PID 3812 wrote to memory of 2400	3812	74291.exe	91
PID 3812 wrote to memory of 2400	3812	74291.exe	91
PID 3172 wrote to memory of 1260	3172	Explorer.EXE	92
PID 3172 wrote to memory of 1260	3172	Explorer.EXE	92
PID 3172 wrote to memory of 1260	3172	Explorer.EXE	92
PID 1260 wrote to memory of 4008	1260	colorcpl.exe	93
PID 1260 wrote to memory of 4008	1260	colorcpl.exe	93
PID 1260 wrote to memory of 4008	1260	colorcpl.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\74291.exe
  "C:\Users\Admin\AppData\Local\Temp\74291.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\74291.exe
    "C:\Users\Admin\AppData\Local\Temp\74291.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\74291.exe"
    3⤵
    PID:4008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1260-150-0x0000000000680000-0x0000000000699000-memory.dmp

Filesize
100KB

Download
memory/1260-157-0x0000000002360000-0x00000000023F3000-memory.dmp

Filesize
588KB

Download
memory/1260-155-0x0000000000340000-0x000000000036F000-memory.dmp

Filesize
188KB

Download
memory/1260-154-0x0000000002460000-0x00000000027AA000-memory.dmp

Filesize
3.3MB

Download
memory/1260-153-0x0000000000340000-0x000000000036F000-memory.dmp

Filesize
188KB

Download
memory/1260-152-0x0000000000680000-0x0000000000699000-memory.dmp

Filesize
100KB

Download
memory/2400-148-0x0000000001AA0000-0x0000000001AB4000-memory.dmp

Filesize
80KB

Download
memory/2400-143-0x0000000001B40000-0x0000000001E8A000-memory.dmp

Filesize
3.3MB

Download
memory/2400-145-0x0000000001A40000-0x0000000001A54000-memory.dmp

Filesize
80KB

Download
memory/2400-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-158-0x0000000009070000-0x000000000917F000-memory.dmp

Filesize
1.1MB

Download
memory/3172-146-0x0000000007A30000-0x0000000007BAD000-memory.dmp

Filesize
1.5MB

Download
memory/3172-161-0x0000000009070000-0x000000000917F000-memory.dmp

Filesize
1.1MB

Download
memory/3172-149-0x00000000093A0000-0x0000000009520000-memory.dmp

Filesize
1.5MB

Download
memory/3172-159-0x0000000009070000-0x000000000917F000-memory.dmp

Filesize
1.1MB

Download
memory/3812-139-0x00000000074B0000-0x000000000754C000-memory.dmp

Filesize
624KB

Download
memory/3812-136-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download
memory/3812-135-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/3812-134-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/3812-137-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/3812-138-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/3812-133-0x0000000000DC0000-0x0000000000E66000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing