formbook | 8bb3e6cace7598576464639d7f88d0c4d55919b2e110a341df89a1569ae0d5b7

General

Target

akon.exe
Size

756KB
MD5

0690de55a2a4081dd2ebc1f658bba4da
SHA1

e4952f3e5cb0c877c682678dbee181a8c737df28
SHA256

8bb3e6cace7598576464639d7f88d0c4d55919b2e110a341df89a1569ae0d5b7
SHA512

94576e743a774e30fbe40053d06c3d4ad8c4c2e421297bcae108a780713da45bf24487a541fbb1b706d0855a69d6883b68f2ec06be9bd2032e72a77d96ecf5c9

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.merifalls.com/4kx/

Decoy

eufood.info

theprotestmatters.com

khauchakhajina.com

008usa-xxf.com

backriverroadsportsplex.com

shopalndrinks.com

necght.xyz

summaryborrow.info

mys518.com

shopapemodeapparel.com

christineroseartiste.com

rsw2226.com

ashes-of-creation.com

shamilalyadin.com

learning-synergy.com

sendstats.net

waverdemo.tech

dubestol.com

bolterbunny.com

beerciderrebattes.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1108-123-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/1108-124-0x000000000041EAD0-mapping.dmp	formbook
behavioral2/memory/2148-132-0x0000000000870000-0x000000000089E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

akon.exeakon.exesvchost.exe

description	pid	process	target process
PID 3176 set thread context of 1108	3176	akon.exe	akon.exe
PID 1108 set thread context of 2984	1108	akon.exe	Explorer.EXE
PID 2148 set thread context of 2984	2148	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

akon.exeakon.exesvchost.exe

pid	process
3176	akon.exe
3176	akon.exe
1108	akon.exe
1108	akon.exe
1108	akon.exe
1108	akon.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

akon.exesvchost.exe

pid process

1108 akon.exe
1108 akon.exe
1108 akon.exe
2148 svchost.exe
2148 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

akon.exeakon.exesvchost.exe

description pid process

Token: SeDebugPrivilege 3176 akon.exe
Token: SeDebugPrivilege 1108 akon.exe
Token: SeDebugPrivilege 2148 svchost.exe

pid	process
1108	akon.exe
1108	akon.exe
1108	akon.exe
2148	svchost.exe
2148	svchost.exe

description	pid	process
Token: SeDebugPrivilege	3176	akon.exe
Token: SeDebugPrivilege	1108	akon.exe
Token: SeDebugPrivilege	2148	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

akon.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 3176 wrote to memory of 1292	3176	akon.exe	akon.exe
PID 3176 wrote to memory of 1292	3176	akon.exe	akon.exe
PID 3176 wrote to memory of 1292	3176	akon.exe	akon.exe
PID 3176 wrote to memory of 1108	3176	akon.exe	akon.exe
PID 3176 wrote to memory of 1108	3176	akon.exe	akon.exe
PID 3176 wrote to memory of 1108	3176	akon.exe	akon.exe
PID 3176 wrote to memory of 1108	3176	akon.exe	akon.exe
PID 3176 wrote to memory of 1108	3176	akon.exe	akon.exe
PID 3176 wrote to memory of 1108	3176	akon.exe	akon.exe
PID 2984 wrote to memory of 2148	2984	Explorer.EXE	svchost.exe
PID 2984 wrote to memory of 2148	2984	Explorer.EXE	svchost.exe
PID 2984 wrote to memory of 2148	2984	Explorer.EXE	svchost.exe
PID 2148 wrote to memory of 3964	2148	svchost.exe	cmd.exe
PID 2148 wrote to memory of 3964	2148	svchost.exe	cmd.exe
PID 2148 wrote to memory of 3964	2148	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\Temp\akon.exe
"C:\Users\Admin\AppData\Local\Temp\akon.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\akon.exe
"C:\Users\Admin\AppData\Local\Temp\akon.exe"
3⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\akon.exe
"C:\Users\Admin\AppData\Local\Temp\akon.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\akon.exe"
3⤵
PID:3964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-123-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1108-127-0x0000000001960000-0x0000000001974000-memory.dmp

Filesize
80KB

Download
memory/1108-126-0x0000000001A00000-0x0000000001D20000-memory.dmp

Filesize
3.1MB

Download
memory/1108-124-0x000000000041EAD0-mapping.dmp

Download
memory/2148-132-0x0000000000870000-0x000000000089E000-memory.dmp

Filesize
184KB

Download
memory/2148-134-0x0000000003160000-0x00000000031F3000-memory.dmp

Filesize
588KB

Download
memory/2148-133-0x0000000003220000-0x0000000003540000-memory.dmp

Filesize
3.1MB

Download
memory/2148-131-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/2148-129-0x0000000000000000-mapping.dmp

Download
memory/2984-128-0x00000000065A0000-0x0000000006738000-memory.dmp

Filesize
1.6MB

Download
memory/2984-135-0x0000000006740000-0x000000000681E000-memory.dmp

Filesize
888KB

Download
memory/3176-119-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/3176-116-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3176-117-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/3176-114-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3176-118-0x00000000051F0000-0x00000000051FE000-memory.dmp

Filesize
56KB

Download
memory/3176-120-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/3176-122-0x00000000059C0000-0x0000000005A30000-memory.dmp

Filesize
448KB

Download
memory/3176-121-0x0000000005800000-0x00000000058B5000-memory.dmp

Filesize
724KB

Download
memory/3964-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads