formbook | 6ba41a457ec592e2539b9a1fca52ac5ea91288b04150edc01c6db17270ebaafa

General

Target

Release Pending.exe
Size

1.1MB
MD5

08bdb251d619b9d222c5481e4432339c
SHA1

49c9d1af7565e7babd6df49890555a8a8aa3a534
SHA256

1312d3fc06f4908cc94cc07e86ae369116a825b7fbd22b98d54b04e6c3ac59b5
SHA512

63ba4fd6150fd5ccc65023927a6d64fc7806312f6edb6e2e091a57f6e0e8c6365e67d240e6699d622790d75339d751dc02c66e99929f18f65462fabf122de921
SSDEEP

24576:ztjW/47VJyA5nucMY7AH979NrGGws3z67Y9Ea9RZN6RVyDU:ztjW/iF5nnNcjrjXmU9tZMXyo

Score

10^/10

formbook he2a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

he2a

Decoy

connectioncompass.store

zekicharge.com

dp77.shop

guninfo.guru

mamaeconomics.net

narcisme.coach

redtopassociates.com

ezezn.com

theoregondog.com

pagosmultired.online

emsculptcenterofne.com

meet-friends.online

pf326.com

wealthjigsaw.xyz

arsajib.com

kickassholdings.online

avaturre.biz

dtslogs.com

lb92.tech

pittalam.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2192-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2192-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4940-149-0x0000000000A00000-0x0000000000A2F000-memory.dmp	formbook
behavioral2/memory/4940-151-0x0000000000A00000-0x0000000000A2F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4868 set thread context of 2192	4868	Release Pending.exe	92
PID 2192 set thread context of 3152	2192	Release Pending.exe	62
PID 4940 set thread context of 3152	4940	cmmon32.exe	62

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2192	Release Pending.exe
2192	Release Pending.exe
2192	Release Pending.exe
2192	Release Pending.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe
4940	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3152	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2192	Release Pending.exe
2192	Release Pending.exe
2192	Release Pending.exe
4940	cmmon32.exe
4940	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	Release Pending.exe
Token: SeDebugPrivilege	4940	cmmon32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 2192	4868	Release Pending.exe	92
PID 4868 wrote to memory of 2192	4868	Release Pending.exe	92
PID 4868 wrote to memory of 2192	4868	Release Pending.exe	92
PID 4868 wrote to memory of 2192	4868	Release Pending.exe	92
PID 4868 wrote to memory of 2192	4868	Release Pending.exe	92
PID 4868 wrote to memory of 2192	4868	Release Pending.exe	92
PID 3152 wrote to memory of 4940	3152	Explorer.EXE	93
PID 3152 wrote to memory of 4940	3152	Explorer.EXE	93
PID 3152 wrote to memory of 4940	3152	Explorer.EXE	93
PID 4940 wrote to memory of 372	4940	cmmon32.exe	94
PID 4940 wrote to memory of 372	4940	cmmon32.exe	94
PID 4940 wrote to memory of 372	4940	cmmon32.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Users\Admin\AppData\Local\Temp\Release Pending.exe
  "C:\Users\Admin\AppData\Local\Temp\Release Pending.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\Release Pending.exe
    "C:\Users\Admin\AppData\Local\Temp\Release Pending.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Release Pending.exe"
    3⤵
    PID:372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2192-142-0x0000000001BC0000-0x0000000001F0A000-memory.dmp

Filesize
3.3MB

Download
memory/2192-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-144-0x0000000001A50000-0x0000000001A65000-memory.dmp

Filesize
84KB

Download
memory/2192-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3152-157-0x0000000008BB0000-0x0000000008D22000-memory.dmp

Filesize
1.4MB

Download
memory/3152-155-0x0000000008BB0000-0x0000000008D22000-memory.dmp

Filesize
1.4MB

Download
memory/3152-154-0x0000000008BB0000-0x0000000008D22000-memory.dmp

Filesize
1.4MB

Download
memory/3152-145-0x0000000008AA0000-0x0000000008BA3000-memory.dmp

Filesize
1.0MB

Download
memory/4868-138-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4868-139-0x0000000008270000-0x000000000830C000-memory.dmp

Filesize
624KB

Download
memory/4868-133-0x0000000000230000-0x000000000035A000-memory.dmp

Filesize
1.2MB

Download
memory/4868-137-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4868-136-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

Filesize
40KB

Download
memory/4868-135-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/4868-134-0x00000000053B0000-0x0000000005954000-memory.dmp

Filesize
5.6MB

Download
memory/4940-146-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/4940-148-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/4940-149-0x0000000000A00000-0x0000000000A2F000-memory.dmp

Filesize
188KB

Download
memory/4940-150-0x0000000002940000-0x0000000002C8A000-memory.dmp

Filesize
3.3MB

Download
memory/4940-151-0x0000000000A00000-0x0000000000A2F000-memory.dmp

Filesize
188KB

Download
memory/4940-153-0x0000000002C90000-0x0000000002D24000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing