formbook | ea370765d72286adf1310958539f8caed1eeab11b23644b4f0672840e3c937af

General

Target

hesaphareketi-01.PDF.exe
Size

739KB
MD5

e9d423ad70831fee10afa1a3a58da8c0
SHA1

305c942109bb57a34791689d76fc2e013cd96d41
SHA256

ea370765d72286adf1310958539f8caed1eeab11b23644b4f0672840e3c937af
SHA512

17a18bd014479bd2c20ed891fb4c719038416e18a1b61e13717b89f739914213893e9b1e36e00e52e6aee420325bfe0f76f01af4496704024bcb069fe99c9315
SSDEEP

12288:9rHkmFx2iqNhujGjUR9HCxnbD0gaJ5oAmk7WKR5njrK8MHJMtrDaOfqx:tEmFxU8Cxnf0gq5OgWKrvzNtrDx

Score

10^/10

formbook a2e2 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a2e2

Decoy

emptylegtrip.com

figge.shop

euro-easy-capital.com

coinsbaseotc.com

midnight-iohk.net

cweas.online

pennymanning.net

shiehkids.net

undawear.africa

aheartfelttouch.com

attorneycaraccidents.net

colourkodedllc.com

love2lovebeautifulpleasures.com

loan-fha-now.com

mdc-shop.net

chooselifeministriescenter.com

oliverhodkinson.co.uk

data-link.site

foxton.store

dongtay.group

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1636-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1636-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4576-149-0x00000000010D0000-0x00000000010FF000-memory.dmp	formbook
behavioral2/memory/4576-151-0x00000000010D0000-0x00000000010FF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 1636	1508	hesaphareketi-01.PDF.exe	90
PID 1636 set thread context of 3136	1636	hesaphareketi-01.PDF.exe	45
PID 4576 set thread context of 3136	4576	colorcpl.exe	45

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1508	hesaphareketi-01.PDF.exe
1508	hesaphareketi-01.PDF.exe
1508	hesaphareketi-01.PDF.exe
1508	hesaphareketi-01.PDF.exe
1508	hesaphareketi-01.PDF.exe
1508	hesaphareketi-01.PDF.exe
1508	hesaphareketi-01.PDF.exe
1636	hesaphareketi-01.PDF.exe
1636	hesaphareketi-01.PDF.exe
1636	hesaphareketi-01.PDF.exe
1636	hesaphareketi-01.PDF.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe
4576	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3136	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1636	hesaphareketi-01.PDF.exe
1636	hesaphareketi-01.PDF.exe
1636	hesaphareketi-01.PDF.exe
4576	colorcpl.exe
4576	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	hesaphareketi-01.PDF.exe
Token: SeDebugPrivilege	1636	hesaphareketi-01.PDF.exe
Token: SeDebugPrivilege	4576	colorcpl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1636	1508	hesaphareketi-01.PDF.exe	90
PID 1508 wrote to memory of 1636	1508	hesaphareketi-01.PDF.exe	90
PID 1508 wrote to memory of 1636	1508	hesaphareketi-01.PDF.exe	90
PID 1508 wrote to memory of 1636	1508	hesaphareketi-01.PDF.exe	90
PID 1508 wrote to memory of 1636	1508	hesaphareketi-01.PDF.exe	90
PID 1508 wrote to memory of 1636	1508	hesaphareketi-01.PDF.exe	90
PID 3136 wrote to memory of 4576	3136	Explorer.EXE	91
PID 3136 wrote to memory of 4576	3136	Explorer.EXE	91
PID 3136 wrote to memory of 4576	3136	Explorer.EXE	91
PID 4576 wrote to memory of 4164	4576	colorcpl.exe	92
PID 4576 wrote to memory of 4164	4576	colorcpl.exe	92
PID 4576 wrote to memory of 4164	4576	colorcpl.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.PDF.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.PDF.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.PDF.exe"
    3⤵
    PID:4164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-133-0x00000000009B0000-0x0000000000A6E000-memory.dmp

Filesize
760KB

Download
memory/1508-134-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/1508-135-0x00000000053F0000-0x0000000005482000-memory.dmp

Filesize
584KB

Download
memory/1508-136-0x0000000005490000-0x000000000549A000-memory.dmp

Filesize
40KB

Download
memory/1508-137-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/1508-138-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/1508-139-0x00000000073A0000-0x000000000743C000-memory.dmp

Filesize
624KB

Download
memory/1636-144-0x00000000013D0000-0x00000000013E4000-memory.dmp

Filesize
80KB

Download
memory/1636-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-143-0x0000000001410000-0x000000000175A000-memory.dmp

Filesize
3.3MB

Download
memory/1636-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3136-154-0x00000000089B0000-0x0000000008A86000-memory.dmp

Filesize
856KB

Download
memory/3136-145-0x00000000031B0000-0x0000000003268000-memory.dmp

Filesize
736KB

Download
memory/3136-157-0x00000000089B0000-0x0000000008A86000-memory.dmp

Filesize
856KB

Download
memory/3136-155-0x00000000089B0000-0x0000000008A86000-memory.dmp

Filesize
856KB

Download
memory/4576-146-0x0000000000550000-0x0000000000569000-memory.dmp

Filesize
100KB

Download
memory/4576-151-0x00000000010D0000-0x00000000010FF000-memory.dmp

Filesize
188KB

Download
memory/4576-150-0x0000000003010000-0x000000000335A000-memory.dmp

Filesize
3.3MB

Download
memory/4576-153-0x0000000002F40000-0x0000000002FD3000-memory.dmp

Filesize
588KB

Download
memory/4576-149-0x00000000010D0000-0x00000000010FF000-memory.dmp

Filesize
188KB

Download
memory/4576-148-0x0000000000550000-0x0000000000569000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing