formbook | 8bb3e6cace7598576464639d7f88d0c4d55919b2e110a341df89a1569ae0d5b7

General

Target

akon.exe
Size

756KB
MD5

0690de55a2a4081dd2ebc1f658bba4da
SHA1

e4952f3e5cb0c877c682678dbee181a8c737df28
SHA256

8bb3e6cace7598576464639d7f88d0c4d55919b2e110a341df89a1569ae0d5b7
SHA512

94576e743a774e30fbe40053d06c3d4ad8c4c2e421297bcae108a780713da45bf24487a541fbb1b706d0855a69d6883b68f2ec06be9bd2032e72a77d96ecf5c9

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.merifalls.com/4kx/

Decoy

eufood.info

theprotestmatters.com

khauchakhajina.com

008usa-xxf.com

backriverroadsportsplex.com

shopalndrinks.com

necght.xyz

summaryborrow.info

mys518.com

shopapemodeapparel.com

christineroseartiste.com

rsw2226.com

ashes-of-creation.com

shamilalyadin.com

learning-synergy.com

sendstats.net

waverdemo.tech

dubestol.com

bolterbunny.com

beerciderrebattes.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1324-65-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1324-66-0x000000000041EAD0-mapping.dmp	formbook
behavioral1/memory/360-74-0x00000000000C0000-0x00000000000EE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

868 cmd.exe

pid	process
868	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

akon.exeakon.exehelp.exe

description	pid	process	target process
PID 756 set thread context of 1324	756	akon.exe	akon.exe
PID 1324 set thread context of 1208	1324	akon.exe	Explorer.EXE
PID 360 set thread context of 1208	360	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

akon.exehelp.exe

pid process

1324 akon.exe
1324 akon.exe
360 help.exe
360 help.exe
360 help.exe
360 help.exe
360 help.exe
360 help.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

akon.exehelp.exe

pid process

1324 akon.exe
1324 akon.exe
1324 akon.exe
360 help.exe
360 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

akon.exehelp.exe

description pid process

Token: SeDebugPrivilege 1324 akon.exe
Token: SeDebugPrivilege 360 help.exe

pid	process
1324	akon.exe
1324	akon.exe
360	help.exe
360	help.exe
360	help.exe
360	help.exe
360	help.exe
360	help.exe

pid	process
1324	akon.exe
1324	akon.exe
1324	akon.exe
360	help.exe
360	help.exe

description	pid	process
Token: SeDebugPrivilege	1324	akon.exe
Token: SeDebugPrivilege	360	help.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

akon.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 756 wrote to memory of 1324	756	akon.exe	akon.exe
PID 756 wrote to memory of 1324	756	akon.exe	akon.exe
PID 756 wrote to memory of 1324	756	akon.exe	akon.exe
PID 756 wrote to memory of 1324	756	akon.exe	akon.exe
PID 756 wrote to memory of 1324	756	akon.exe	akon.exe
PID 756 wrote to memory of 1324	756	akon.exe	akon.exe
PID 756 wrote to memory of 1324	756	akon.exe	akon.exe
PID 1208 wrote to memory of 360	1208	Explorer.EXE	help.exe
PID 1208 wrote to memory of 360	1208	Explorer.EXE	help.exe
PID 1208 wrote to memory of 360	1208	Explorer.EXE	help.exe
PID 1208 wrote to memory of 360	1208	Explorer.EXE	help.exe
PID 360 wrote to memory of 868	360	help.exe	cmd.exe
PID 360 wrote to memory of 868	360	help.exe	cmd.exe
PID 360 wrote to memory of 868	360	help.exe	cmd.exe
PID 360 wrote to memory of 868	360	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\akon.exe
"C:\Users\Admin\AppData\Local\Temp\akon.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\akon.exe
"C:\Users\Admin\AppData\Local\Temp\akon.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\akon.exe"
3⤵
- Deletes itself
PID:868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/360-71-0x0000000000000000-mapping.dmp

Download
memory/360-76-0x0000000000690000-0x0000000000723000-memory.dmp

Filesize
588KB

Download
memory/360-75-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/360-74-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/360-73-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/756-64-0x0000000000AD0000-0x0000000000B40000-memory.dmp

Filesize
448KB

Download
memory/756-59-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/756-63-0x0000000005100000-0x00000000051B5000-memory.dmp

Filesize
724KB

Download
memory/756-62-0x0000000000660000-0x000000000066E000-memory.dmp

Filesize
56KB

Download
memory/756-61-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/868-72-0x0000000000000000-mapping.dmp

Download
memory/1208-70-0x0000000004CA0000-0x0000000004E2A000-memory.dmp

Filesize
1.5MB

Download
memory/1208-77-0x0000000004B80000-0x0000000004C2A000-memory.dmp

Filesize
680KB

Download
memory/1324-66-0x000000000041EAD0-mapping.dmp

Download
memory/1324-68-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/1324-69-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/1324-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads