formbook | 2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625

Analysis

max time kernel
140s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-02-2024 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe
Size

690KB
MD5

3da716e7be62ce9f345c37c84fff8ed9
SHA1

aa92605e8ffa40546407975c7f50f3abe7e3fa67
SHA256

2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625
SHA512

4dfbe7ef693202ae81d8092259493c4c6374f0c55e6dd4a6fa10b52297f0287f2d75d96930cddb0f786c1b31e29c24e6601cb08942fb80c60ded5f7a87a60230
SSDEEP

12288:izNwnqs3y44sAGcprVjQSwMQTKilCj5If71Fs0576ivpVA5wN8wWEACrIYgI:HnPAGcpx5wMKPwC1Fsc76iv7BiC1gI

Score

10^/10

formbook he2a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

he2a

Decoy

connectioncompass.store

zekicharge.com

dp77.shop

guninfo.guru

mamaeconomics.net

narcisme.coach

redtopassociates.com

ezezn.com

theoregondog.com

pagosmultired.online

emsculptcenterofne.com

meet-friends.online

pf326.com

wealthjigsaw.xyz

arsajib.com

kickassholdings.online

avaturre.biz

dtslogs.com

lb92.tech

pittalam.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1204-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 1204	1692	2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe	102

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1204	2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe
1204	2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe
1204	2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1204	1692	2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe	102
PID 1692 wrote to memory of 1204	1692	2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe	102
PID 1692 wrote to memory of 1204	1692	2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe	102
PID 1692 wrote to memory of 1204	1692	2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe	102
PID 1692 wrote to memory of 1204	1692	2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe	102
PID 1692 wrote to memory of 1204	1692	2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe	102

C:\Users\Admin\AppData\Local\Temp\2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe
"C:\Users\Admin\AppData\Local\Temp\2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe
  "C:\Users\Admin\AppData\Local\Temp\2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-14-0x0000000001870000-0x0000000001BBA000-memory.dmp

Filesize
3.3MB

Download
memory/1692-8-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/1692-9-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-4-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/1692-5-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/1692-6-0x0000000006A50000-0x0000000006A6C000-memory.dmp

Filesize
112KB

Download
memory/1692-7-0x00000000057C0000-0x00000000057CC000-memory.dmp

Filesize
48KB

Download
memory/1692-0-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-3-0x0000000005400000-0x0000000005492000-memory.dmp

Filesize
584KB

Download
memory/1692-10-0x0000000006E20000-0x0000000006E96000-memory.dmp

Filesize
472KB

Download
memory/1692-11-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/1692-12-0x0000000006F30000-0x0000000006FCC000-memory.dmp

Filesize
624KB

Download
memory/1692-2-0x0000000005910000-0x0000000005EB4000-memory.dmp

Filesize
5.6MB

Download
memory/1692-1-0x0000000000960000-0x0000000000A12000-memory.dmp

Filesize
712KB

Download
memory/1692-16-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download