formbook | 8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201

General

Target

ADASU AKU-GIB2022.exe
Size

1.3MB
MD5

e124339f08506d6b5bab4d071784a65e
SHA1

bcac9d8f2919ed3e57ad78f4a5c999b3b9faf88f
SHA256

8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201
SHA512

0d8c3949cd7cdd07264398dbf9a6224c6ab40af0ee81d1936bb2a436f25981309958f5f9c405ad5553890cf94dd7f55667a07b44336ffefbc90c0127e8825df9
SSDEEP

24576:rAOcZ8hI77JrtcZ2iYLwHQciT79xUkjPV99npuezy71oporahX:ta79pcZ2iM+QHTjUkj9fZe6Gc

Score

10^/10

formbook mh76 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mh76

Decoy

healthgovcalottery.net

wenxinliao.com

rooterphd.com

bbobbo.one

american-mes-de-dezembro.xyz

mintager.com

thespecialtstore.com

wemakegreenhomes.com

occurandmental.xyz

fidelityrealtytitle.com

numerisat.asia

wearestallions.com

supxl.com

rajacumi.com

renaziv.online

blixtindustries.com

fjljq.com

exploretrivenicamping.com

authenticusspa.com

uucloud.press

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2596-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2596-138-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/2596-145-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/932-147-0x0000000001060000-0x000000000108F000-memory.dmp	formbook
behavioral2/memory/932-152-0x0000000001060000-0x000000000108F000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

akowhwdxro.pif

pid process

4876 akowhwdxro.pif

pid	process
4876	akowhwdxro.pif

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ADASU AKU-GIB2022.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ADASU AKU-GIB2022.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

akowhwdxro.pifRegSvcs.exesystray.exe

description	pid	process	target process
PID 4876 set thread context of 2596	4876	akowhwdxro.pif	RegSvcs.exe
PID 2596 set thread context of 2724	2596	RegSvcs.exe	Explorer.EXE
PID 932 set thread context of 2724	932	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

RegSvcs.exesystray.exe

pid	process
2596	RegSvcs.exe
2596	RegSvcs.exe
2596	RegSvcs.exe
2596	RegSvcs.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe
932	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2724 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exesystray.exe

pid process

2596 RegSvcs.exe
2596 RegSvcs.exe
2596 RegSvcs.exe
932 systray.exe
932 systray.exe

pid	process
2724	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RegSvcs.exeExplorer.EXEsystray.exe

description	pid	process
Token: SeDebugPrivilege	2596	RegSvcs.exe
Token: SeShutdownPrivilege	2724	Explorer.EXE
Token: SeCreatePagefilePrivilege	2724	Explorer.EXE
Token: SeShutdownPrivilege	2724	Explorer.EXE
Token: SeCreatePagefilePrivilege	2724	Explorer.EXE
Token: SeDebugPrivilege	932	systray.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ADASU AKU-GIB2022.exeakowhwdxro.pifExplorer.EXEsystray.exe

description	pid	process	target process
PID 4308 wrote to memory of 4876	4308	ADASU AKU-GIB2022.exe	akowhwdxro.pif
PID 4308 wrote to memory of 4876	4308	ADASU AKU-GIB2022.exe	akowhwdxro.pif
PID 4308 wrote to memory of 4876	4308	ADASU AKU-GIB2022.exe	akowhwdxro.pif
PID 4876 wrote to memory of 2348	4876	akowhwdxro.pif	RegSvcs.exe
PID 4876 wrote to memory of 2348	4876	akowhwdxro.pif	RegSvcs.exe
PID 4876 wrote to memory of 2348	4876	akowhwdxro.pif	RegSvcs.exe
PID 4876 wrote to memory of 2596	4876	akowhwdxro.pif	RegSvcs.exe
PID 4876 wrote to memory of 2596	4876	akowhwdxro.pif	RegSvcs.exe
PID 4876 wrote to memory of 2596	4876	akowhwdxro.pif	RegSvcs.exe
PID 4876 wrote to memory of 2596	4876	akowhwdxro.pif	RegSvcs.exe
PID 4876 wrote to memory of 2596	4876	akowhwdxro.pif	RegSvcs.exe
PID 4876 wrote to memory of 2596	4876	akowhwdxro.pif	RegSvcs.exe
PID 2724 wrote to memory of 932	2724	Explorer.EXE	systray.exe
PID 2724 wrote to memory of 932	2724	Explorer.EXE	systray.exe
PID 2724 wrote to memory of 932	2724	Explorer.EXE	systray.exe
PID 932 wrote to memory of 3492	932	systray.exe	cmd.exe
PID 932 wrote to memory of 3492	932	systray.exe	cmd.exe
PID 932 wrote to memory of 3492	932	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\ADASU AKU-GIB2022.exe
"C:\Users\Admin\AppData\Local\Temp\ADASU AKU-GIB2022.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4308

C:\8_109\akowhwdxro.pif
"C:\8_109\akowhwdxro.pif" kjem.dfj
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\8_109\akowhwdxro.pif
Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
C:\8_109\akowhwdxro.pif
Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
C:\8_109\divktkmrtd.jsj
Filesize
371KB

MD5
346d454bd9465d8e2a3d7701c505941a

SHA1
51aebc65e3f83a6c9a56a476b3b5310033114e70

SHA256
8cfea515b17fde80cb3a964ae17b853fede82c767ff910ff50176c5eccaaf62a

SHA512
9fb32ba57fbef97b4cd78d625795e26c656fda976cc39e84b7ab8ffc31baccfe2736eae74941fffa5fc004ecb159b3a65856abc3566012886c5403f11fd9d783

Download Submit
C:\8_109\kjem.dfj
Filesize
207.8MB

MD5
b312220c59e94dd3a5d806c0777e69db

SHA1
0747d063290adc93de86696f8f118d7d7d6f4316

SHA256
1ffe15cf809f7d6cc22046d0b4b1831daa2c2045e11b2d8c19289dbb1262e01a

SHA512
81bbc25749992fc33d3194274737ed1f9ebccaaa388602628f288a637c8e6639162eff9281ed0115b448dba63db1f9e3027c7f2be4c17a38f36589c4ce747b1f

Download Submit
C:\8_109\xwinq.msc
Filesize
40KB

MD5
8f5c6bec28d8878ab051425978eb8f94

SHA1
afc50fbbd2773a448afceda572b2f61b7c31c2f1

SHA256
56e1426342bfeb5a391203b02f70bcf4ab4319f2aa44afeb60aa7db77e9f239a

SHA512
3c9cbc8d7e599bd714262ab1bfcb9bbfb3b3670818354190c1ff134dcea80a3a6d4ad47c3d1b345aadea3bc2193909a6d0a66eae4df17a5b16352e04aa33d002

Download Submit
memory/932-144-0x0000000000000000-mapping.dmp

Download
memory/932-150-0x0000000002D80000-0x0000000002E14000-memory.dmp

Filesize
592KB

Download
memory/932-147-0x0000000001060000-0x000000000108F000-memory.dmp

Filesize
188KB

Download
memory/932-149-0x0000000002EE0000-0x000000000322A000-memory.dmp

Filesize
3.3MB

Download
memory/932-146-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/932-152-0x0000000001060000-0x000000000108F000-memory.dmp

Filesize
188KB

Download
memory/2596-141-0x0000000001490000-0x00000000017DA000-memory.dmp

Filesize
3.3MB

Download
memory/2596-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-142-0x00000000017E0000-0x00000000017F5000-memory.dmp

Filesize
84KB

Download
memory/2596-138-0x0000000000000000-mapping.dmp

Download
memory/2596-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-143-0x0000000002840000-0x000000000296B000-memory.dmp

Filesize
1.2MB

Download
memory/2724-151-0x0000000008580000-0x00000000086E0000-memory.dmp

Filesize
1.4MB

Download
memory/2724-153-0x0000000008580000-0x00000000086E0000-memory.dmp

Filesize
1.4MB

Download
memory/3492-148-0x0000000000000000-mapping.dmp

Download
memory/4876-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads