formbook | 6ba41a457ec592e2539b9a1fca52ac5ea91288b04150edc01c6db17270ebaafa

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2023, 10:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release Pending.exe
Size

1.1MB
MD5

08bdb251d619b9d222c5481e4432339c
SHA1

49c9d1af7565e7babd6df49890555a8a8aa3a534
SHA256

1312d3fc06f4908cc94cc07e86ae369116a825b7fbd22b98d54b04e6c3ac59b5
SHA512

63ba4fd6150fd5ccc65023927a6d64fc7806312f6edb6e2e091a57f6e0e8c6365e67d240e6699d622790d75339d751dc02c66e99929f18f65462fabf122de921
SSDEEP

24576:ztjW/47VJyA5nucMY7AH979NrGGws3z67Y9Ea9RZN6RVyDU:ztjW/iF5nnNcjrjXmU9tZMXyo

Score

10^/10

formbook he2a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

he2a

Decoy

connectioncompass.store

zekicharge.com

dp77.shop

guninfo.guru

mamaeconomics.net

narcisme.coach

redtopassociates.com

ezezn.com

theoregondog.com

pagosmultired.online

emsculptcenterofne.com

meet-friends.online

pf326.com

wealthjigsaw.xyz

arsajib.com

kickassholdings.online

avaturre.biz

dtslogs.com

lb92.tech

pittalam.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2192-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2192-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4940-149-0x0000000000A00000-0x0000000000A2F000-memory.dmp	formbook
behavioral2/memory/4940-151-0x0000000000A00000-0x0000000000A2F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4868 set thread context of 2192	4868	Release Pending.exe	92
PID 2192 set thread context of 3152	2192	Release Pending.exe	62
PID 4940 set thread context of 3152	4940	cmmon32.exe	62

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2192	Release Pending.exe
2192	Release Pending.exe
2192	Release Pending.exe
2192	Release Pending.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3152	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2192	Release Pending.exe
2192	Release Pending.exe
2192	Release Pending.exe
4940	cmmon32.exe
4940	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	Release Pending.exe
Token: SeDebugPrivilege	4940	cmmon32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 2192	4868	Release Pending.exe	92
PID 4868 wrote to memory of 2192	4868	Release Pending.exe	92
PID 4868 wrote to memory of 2192	4868	Release Pending.exe	92
PID 4868 wrote to memory of 2192	4868	Release Pending.exe	92
PID 4868 wrote to memory of 2192	4868	Release Pending.exe	92
PID 4868 wrote to memory of 2192	4868	Release Pending.exe	92
PID 3152 wrote to memory of 4940	3152	Explorer.EXE	93
PID 3152 wrote to memory of 4940	3152	Explorer.EXE	93
PID 3152 wrote to memory of 4940	3152	Explorer.EXE	93
PID 4940 wrote to memory of 372	4940	cmmon32.exe	94
PID 4940 wrote to memory of 372	4940	cmmon32.exe	94
PID 4940 wrote to memory of 372	4940	cmmon32.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Users\Admin\AppData\Local\Temp\Release Pending.exe
  "C:\Users\Admin\AppData\Local\Temp\Release Pending.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\Release Pending.exe
    "C:\Users\Admin\AppData\Local\Temp\Release Pending.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Release Pending.exe"
    3⤵
    PID:372

Network

DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

86.8.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.8.109.52.in-addr.arpa

IN PTR

Response
DNS

www.mamaeconomics.net

Remote address:

8.8.8.8:53

Request

www.mamaeconomics.net

IN A

Response

www.mamaeconomics.net

IN CNAME

mamaeconomics.net

mamaeconomics.net

IN A

34.102.136.180
GET

http://www.mamaeconomics.net/he2a/?Qj6=SN6tXpr89ZQL0J&jvh0L=0ffEbpXGB31fPi13n2d6XVkQv00ZL2UyH8ImSzU9FUJ8RH52kyefEF/P990st1wDx1XU

Explorer.EXE

Remote address:

34.102.136.180:80

Request

GET /he2a/?Qj6=SN6tXpr89ZQL0J&jvh0L=0ffEbpXGB31fPi13n2d6XVkQv00ZL2UyH8ImSzU9FUJ8RH52kyefEF/P990st1wDx1XU HTTP/1.1
Host: www.mamaeconomics.net
Connection: close

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Fri, 02 Jun 2023 10:43:07 GMT
Content-Type: text/html
Content-Length: 291
ETag: "6477f3a3-123"
Via: 1.1 google
Connection: close
DNS

180.136.102.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.136.102.34.in-addr.arpa

IN PTR

Response

180.136.102.34.in-addr.arpa

IN PTR

18013610234bcgoogleusercontentcom
DNS

www.b-store.shop

Remote address:

8.8.8.8:53

Request

www.b-store.shop

IN A

Response
DNS

www.bavrnimn.site

Remote address:

8.8.8.8:53

Request

www.bavrnimn.site

IN A

Response
DNS

www.pittalam.com

Remote address:

8.8.8.8:53

Request

www.pittalam.com

IN A

Response

www.pittalam.com

IN A

103.181.194.5
GET

http://www.pittalam.com/he2a/?jvh0L=6mtiiNDxnJtLR6isq7s4LFmQmSMrbnu7fYJ+sHyGWBrq8vdc/7IBvuhk0b8scMn1rLgN&Qj6=SN6tXpr89ZQL0J

Explorer.EXE

Remote address:

103.181.194.5:80

Request

GET /he2a/?jvh0L=6mtiiNDxnJtLR6isq7s4LFmQmSMrbnu7fYJ+sHyGWBrq8vdc/7IBvuhk0b8scMn1rLgN&Qj6=SN6tXpr89ZQL0J HTTP/1.1
Host: www.pittalam.com
Connection: close

Response

HTTP/1.1 308 Permanent Redirect

Connection: close
Location: https://www.pittalam.com/he2a/?jvh0L=6mtiiNDxnJtLR6isq7s4LFmQmSMrbnu7fYJ+sHyGWBrq8vdc/7IBvuhk0b8scMn1rLgN&Qj6=SN6tXpr89ZQL0J
Server: Caddy
Date: Fri, 02 Jun 2023 10:44:08 GMT
Content-Length: 0
DNS

5.194.181.103.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.194.181.103.in-addr.arpa

IN PTR

Response

40.125.122.176:443

260 B
5
13.89.179.8:443

322 B
7
40.125.122.176:443

260 B
5
8.238.21.254:80

322 B
7
8.238.21.254:80

322 B
7
40.125.122.176:443

260 B
5
8.238.21.254:80

322 B
7
8.238.21.254:80

322 B
7
34.102.136.180:80

http://www.mamaeconomics.net/he2a/?Qj6=SN6tXpr89ZQL0J&jvh0L=0ffEbpXGB31fPi13n2d6XVkQv00ZL2UyH8ImSzU9FUJ8RH52kyefEF/P990st1wDx1XU

http

Explorer.EXE

402 B
689 B
5
5

HTTP Request

GET http://www.mamaeconomics.net/he2a/?Qj6=SN6tXpr89ZQL0J&jvh0L=0ffEbpXGB31fPi13n2d6XVkQv00ZL2UyH8ImSzU9FUJ8RH52kyefEF/P990st1wDx1XU

HTTP Response

403
173.223.113.164:443

322 B
7
40.125.122.176:443

260 B
5
173.223.113.131:80

322 B
7
131.253.33.203:80

322 B
7
40.125.122.176:443

260 B
5
40.125.122.176:443

208 B
4
103.181.194.5:80

http://www.pittalam.com/he2a/?jvh0L=6mtiiNDxnJtLR6isq7s4LFmQmSMrbnu7fYJ+sHyGWBrq8vdc/7IBvuhk0b8scMn1rLgN&Qj6=SN6tXpr89ZQL0J

http

Explorer.EXE

443 B
513 B
6
6

HTTP Request

GET http://www.pittalam.com/he2a/?jvh0L=6mtiiNDxnJtLR6isq7s4LFmQmSMrbnu7fYJ+sHyGWBrq8vdc/7IBvuhk0b8scMn1rLgN&Qj6=SN6tXpr89ZQL0J

HTTP Response

308

8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

86.8.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.8.109.52.in-addr.arpa
8.8.8.8:53

www.mamaeconomics.net

dns

67 B
97 B
1
1

DNS Request

www.mamaeconomics.net

DNS Response

34.102.136.180
8.8.8.8:53

180.136.102.34.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

180.136.102.34.in-addr.arpa
8.8.8.8:53

www.b-store.shop

dns

62 B
135 B
1
1

DNS Request

www.b-store.shop
8.8.8.8:53

www.bavrnimn.site

dns

63 B
128 B
1
1

DNS Request

www.bavrnimn.site
8.8.8.8:53

www.pittalam.com

dns

62 B
78 B
1
1

DNS Request

www.pittalam.com

DNS Response

103.181.194.5
8.8.8.8:53

5.194.181.103.in-addr.arpa

dns

72 B
160 B
1
1

DNS Request

5.194.181.103.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2192-142-0x0000000001BC0000-0x0000000001F0A000-memory.dmp

Filesize
3.3MB

Download
memory/2192-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-144-0x0000000001A50000-0x0000000001A65000-memory.dmp

Filesize
84KB

Download
memory/2192-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3152-157-0x0000000008BB0000-0x0000000008D22000-memory.dmp

Filesize
1.4MB

Download
memory/3152-155-0x0000000008BB0000-0x0000000008D22000-memory.dmp

Filesize
1.4MB

Download
memory/3152-154-0x0000000008BB0000-0x0000000008D22000-memory.dmp

Filesize
1.4MB

Download
memory/3152-145-0x0000000008AA0000-0x0000000008BA3000-memory.dmp

Filesize
1.0MB

Download
memory/4868-138-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4868-139-0x0000000008270000-0x000000000830C000-memory.dmp

Filesize
624KB

Download
memory/4868-133-0x0000000000230000-0x000000000035A000-memory.dmp

Filesize
1.2MB

Download
memory/4868-137-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4868-136-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

Filesize
40KB

Download
memory/4868-135-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/4868-134-0x00000000053B0000-0x0000000005954000-memory.dmp

Filesize
5.6MB

Download
memory/4940-146-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/4940-148-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/4940-149-0x0000000000A00000-0x0000000000A2F000-memory.dmp

Filesize
188KB

Download
memory/4940-150-0x0000000002940000-0x0000000002C8A000-memory.dmp

Filesize
3.3MB

Download
memory/4940-151-0x0000000000A00000-0x0000000000A2F000-memory.dmp

Filesize
188KB

Download
memory/4940-153-0x0000000002C90000-0x0000000002D24000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.