formbook | d1fdb78142a09be2db38f3e704f9cc96649745d1055eef07a702ed674cb4b9ed

General

Target

Receipt!!.exe
Size

663KB
MD5

980e6c7bdc869c67769248c534cf5473
SHA1

07745c458e1f91e83802eb77a49d56249de54538
SHA256

d1fdb78142a09be2db38f3e704f9cc96649745d1055eef07a702ed674cb4b9ed
SHA512

a675732c5d884e12c50c93a0ff88b1d27c4aac7bdd08bafe4a2122dce769cdff01087de6f5b59e5311e2b3c6ca6e4797e2785163325b53bfe001bd1d98497803
SSDEEP

12288:6/jDsEOuu3QssNxoDp5HkVerWPYV8q36Ie0y5mNNyvdOe9YI:6L5OVQsIxQp5Hk4iPexNy5t

Score

10^/10

formbook he2a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

he2a

Decoy

connectioncompass.store

zekicharge.com

dp77.shop

guninfo.guru

mamaeconomics.net

narcisme.coach

redtopassociates.com

ezezn.com

theoregondog.com

pagosmultired.online

emsculptcenterofne.com

meet-friends.online

pf326.com

wealthjigsaw.xyz

arsajib.com

kickassholdings.online

avaturre.biz

dtslogs.com

lb92.tech

pittalam.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3852-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3852-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2916-23-0x0000000001180000-0x00000000011AF000-memory.dmp	formbook
behavioral2/memory/2916-25-0x0000000001180000-0x00000000011AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 744 set thread context of 3852	744	Receipt!!.exe	99
PID 3852 set thread context of 3168	3852	Receipt!!.exe	11
PID 2916 set thread context of 3168	2916	cmd.exe	11

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
744	Receipt!!.exe
744	Receipt!!.exe
744	Receipt!!.exe
744	Receipt!!.exe
3852	Receipt!!.exe
3852	Receipt!!.exe
3852	Receipt!!.exe
3852	Receipt!!.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe
2916	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3168	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3852	Receipt!!.exe
3852	Receipt!!.exe
3852	Receipt!!.exe
2916	cmd.exe
2916	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	Receipt!!.exe
Token: SeDebugPrivilege	3852	Receipt!!.exe
Token: SeDebugPrivilege	2916	cmd.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3168	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 3592	744	Receipt!!.exe	98
PID 744 wrote to memory of 3592	744	Receipt!!.exe	98
PID 744 wrote to memory of 3592	744	Receipt!!.exe	98
PID 744 wrote to memory of 1680	744	Receipt!!.exe	100
PID 744 wrote to memory of 1680	744	Receipt!!.exe	100
PID 744 wrote to memory of 1680	744	Receipt!!.exe	100
PID 744 wrote to memory of 3852	744	Receipt!!.exe	99
PID 744 wrote to memory of 3852	744	Receipt!!.exe	99
PID 744 wrote to memory of 3852	744	Receipt!!.exe	99
PID 744 wrote to memory of 3852	744	Receipt!!.exe	99
PID 744 wrote to memory of 3852	744	Receipt!!.exe	99
PID 744 wrote to memory of 3852	744	Receipt!!.exe	99
PID 3168 wrote to memory of 2916	3168	Explorer.EXE	101
PID 3168 wrote to memory of 2916	3168	Explorer.EXE	101
PID 3168 wrote to memory of 2916	3168	Explorer.EXE	101
PID 2916 wrote to memory of 4596	2916	cmd.exe	106
PID 2916 wrote to memory of 4596	2916	cmd.exe	106
PID 2916 wrote to memory of 4596	2916	cmd.exe	106

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Users\Admin\AppData\Local\Temp\Receipt!!.exe
  "C:\Users\Admin\AppData\Local\Temp\Receipt!!.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Users\Admin\AppData\Local\Temp\Receipt!!.exe
    "C:\Users\Admin\AppData\Local\Temp\Receipt!!.exe"
    3⤵
    PID:3592
- - C:\Users\Admin\AppData\Local\Temp\Receipt!!.exe
    "C:\Users\Admin\AppData\Local\Temp\Receipt!!.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3852
- - C:\Users\Admin\AppData\Local\Temp\Receipt!!.exe
    "C:\Users\Admin\AppData\Local\Temp\Receipt!!.exe"
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Receipt!!.exe"
    3⤵
    PID:4596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-14-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/744-1-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/744-2-0x0000000005080000-0x0000000005624000-memory.dmp

Filesize
5.6MB

Download
memory/744-3-0x00000000049B0000-0x0000000004A42000-memory.dmp

Filesize
584KB

Download
memory/744-4-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/744-5-0x0000000004960000-0x000000000496A000-memory.dmp

Filesize
40KB

Download
memory/744-6-0x0000000004CB0000-0x0000000004D4C000-memory.dmp

Filesize
624KB

Download
memory/744-7-0x0000000004C70000-0x0000000004C88000-memory.dmp

Filesize
96KB

Download
memory/744-8-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/744-9-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/744-10-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/744-11-0x0000000006220000-0x000000000628E000-memory.dmp

Filesize
440KB

Download
memory/744-0-0x0000000000010000-0x00000000000BC000-memory.dmp

Filesize
688KB

Download
memory/2916-24-0x0000000001B40000-0x0000000001E8A000-memory.dmp

Filesize
3.3MB

Download
memory/2916-22-0x0000000000B10000-0x0000000000B6A000-memory.dmp

Filesize
360KB

Download
memory/2916-28-0x0000000001970000-0x0000000001A04000-memory.dmp

Filesize
592KB

Download
memory/2916-25-0x0000000001180000-0x00000000011AF000-memory.dmp

Filesize
188KB

Download
memory/2916-23-0x0000000001180000-0x00000000011AF000-memory.dmp

Filesize
188KB

Download
memory/2916-20-0x0000000000B10000-0x0000000000B6A000-memory.dmp

Filesize
360KB

Download
memory/3168-19-0x0000000009630000-0x0000000009753000-memory.dmp

Filesize
1.1MB

Download
memory/3168-26-0x0000000009630000-0x0000000009753000-memory.dmp

Filesize
1.1MB

Download
memory/3168-29-0x0000000009890000-0x0000000009A23000-memory.dmp

Filesize
1.6MB

Download
memory/3168-30-0x0000000009890000-0x0000000009A23000-memory.dmp

Filesize
1.6MB

Download
memory/3168-32-0x0000000009890000-0x0000000009A23000-memory.dmp

Filesize
1.6MB

Download
memory/3852-15-0x00000000017E0000-0x0000000001B2A000-memory.dmp

Filesize
3.3MB

Download
memory/3852-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3852-18-0x0000000001270000-0x0000000001285000-memory.dmp

Filesize
84KB

Download
memory/3852-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing