formbook | 8eaa17ae54b2e26d29ac40caf68baa9ebdf959ea40fb0a66d6317363c748679a

General

Target

Dekont.exe
Size

302KB
MD5

fb8596a40d08f57a5ec1e1abf81b440f
SHA1

5a9219dfff7ec0b32ecb8be445542e19b826774c
SHA256

8eaa17ae54b2e26d29ac40caf68baa9ebdf959ea40fb0a66d6317363c748679a
SHA512

eb88ccc25ecc94b78dd6e24396ce3c8f1d4e2b609615bddc5f45b5d901b1b48568576e1e88617dd363557ad2b811912d3ac7069b2da6df0a27f38cdccd8817e9

Score

10^/10

formbook k12t rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k12t

Decoy

alphasaludsas.com

route7adventures.com

zeenat.life

atendimento.center

alejandrojosueruizmazzeo.com

shopidentitymeisterdown.com

letseat.global

recettesbetty.com

neodrugtest.com

2eji5j.xyz

diversifyingawards.com

ptemeta.xyz

ivonelemos.com

051gg.com

michaelscomputerstore.com

warneattrinityclub.com

genesys-rdc.com

dcbest88.com

zdorovjaplus.com

laurelheap.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3836-119-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3836-124-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/580-128-0x0000000003070000-0x000000000309F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

Dekont.exe

pid process

2692 Dekont.exe

pid	process
2692	Dekont.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Dekont.exeDekont.exemstsc.exe

description	pid	process	target process
PID 2692 set thread context of 3836	2692	Dekont.exe	Dekont.exe
PID 3836 set thread context of 3068	3836	Dekont.exe	Explorer.EXE
PID 3836 set thread context of 3068	3836	Dekont.exe	Explorer.EXE
PID 580 set thread context of 3068	580	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

Dekont.exemstsc.exe

pid	process
3836	Dekont.exe
3836	Dekont.exe
3836	Dekont.exe
3836	Dekont.exe
3836	Dekont.exe
3836	Dekont.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe
580	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3068 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Dekont.exemstsc.exe

pid process

3836 Dekont.exe
3836 Dekont.exe
3836 Dekont.exe
3836 Dekont.exe
580 mstsc.exe
580 mstsc.exe

pid	process
3068	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Dekont.exemstsc.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3836	Dekont.exe
Token: SeDebugPrivilege	580	mstsc.exe
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Dekont.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 2692 wrote to memory of 3836	2692	Dekont.exe	Dekont.exe
PID 2692 wrote to memory of 3836	2692	Dekont.exe	Dekont.exe
PID 2692 wrote to memory of 3836	2692	Dekont.exe	Dekont.exe
PID 2692 wrote to memory of 3836	2692	Dekont.exe	Dekont.exe
PID 2692 wrote to memory of 3836	2692	Dekont.exe	Dekont.exe
PID 2692 wrote to memory of 3836	2692	Dekont.exe	Dekont.exe
PID 3068 wrote to memory of 580	3068	Explorer.EXE	mstsc.exe
PID 3068 wrote to memory of 580	3068	Explorer.EXE	mstsc.exe
PID 3068 wrote to memory of 580	3068	Explorer.EXE	mstsc.exe
PID 580 wrote to memory of 1888	580	mstsc.exe	cmd.exe
PID 580 wrote to memory of 1888	580	mstsc.exe	cmd.exe
PID 580 wrote to memory of 1888	580	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\Dekont.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\Dekont.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Dekont.exe"
3⤵
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nswAF00.tmp\enfvli.dll
MD5
78e94d9eba25bc2dcd81e530ca5259df

SHA1
59919a0ea559e5d223b8d183e015ffeea1155e69

SHA256
c09a464cbede92ab8c61c6a8a3b23dfb752e9f1e0313d0f362965f774f8ba75b

SHA512
44ad040d82b0fb1afcb48484167de6289b505bfaa05d4cef89b0ed2892bcb660ea4446d1b19f87ab6523e4aa767a2de43a66fe20f45cffaa071fee330d198343

Download Submit
memory/580-127-0x0000000000A70000-0x0000000000D6C000-memory.dmp

Filesize
3.0MB

Download
memory/580-130-0x0000000004620000-0x00000000047BD000-memory.dmp

Filesize
1.6MB

Download
memory/580-129-0x00000000047C0000-0x0000000004AE0000-memory.dmp

Filesize
3.1MB

Download
memory/580-128-0x0000000003070000-0x000000000309F000-memory.dmp

Filesize
188KB

Download
memory/3068-131-0x0000000002E50000-0x0000000002F07000-memory.dmp

Filesize
732KB

Download
memory/3068-123-0x0000000001100000-0x00000000011BB000-memory.dmp

Filesize
748KB

Download
memory/3068-126-0x0000000006870000-0x00000000069A3000-memory.dmp

Filesize
1.2MB

Download
memory/3836-122-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/3836-125-0x0000000002700000-0x0000000002714000-memory.dmp

Filesize
80KB

Download
memory/3836-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-120-0x0000000000A40000-0x0000000000D60000-memory.dmp

Filesize
3.1MB

Download
memory/3836-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads