formbook | 037d18a0489c63d5d9ba87f8ea9652c511df0787eb9d8fe361cfab7f93e03582

General

Target

shelamas3.1.exe
Size

511KB
MD5

7994c54a4717446039c90d9f5e63d4ce
SHA1

18f5bc70c635da9b95e47898f0313758e225a380
SHA256

037d18a0489c63d5d9ba87f8ea9652c511df0787eb9d8fe361cfab7f93e03582
SHA512

69dc8129beeb15632ea7ea8c63d95bd1a08c8fb3aaacf7344d3ec01bd9efd9f5e6f4dd9e540c159c83a25bcf0003caa57ed944351e6a20c769e124302a0ea5af
SSDEEP

12288:nEUfI55vi6nBA+FrSbH/PJ8jevCPyyYmYj:npYnnBA+FG7/h8jeKPtYtj

Score

10^/10

formbook sk19 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk19

Decoy

21diasdegratitud.com

kx1993.com

chasergt.com

837news.com

naturagent.co.uk

gatorinsurtech.com

iyaboolashilesblog.africa

jamtanganmurah.online

gguminsa.com

lilliesdrop.com

lenvera.com

link48.co.uk

azinos777.fun

lgcdct.cfd

bg-gobtc.com

livecarrer.uk

cbq4u.com

imalreadygone.com

wabeng.africa

jxmheiyouyuetot.tokyo

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/908-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/988-70-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook
behavioral1/memory/988-74-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

okkofadc.exeokkofadc.exe

pid process

1280 okkofadc.exe
908 okkofadc.exe
Loads dropped DLL 2 IoCs

Processes:

shelamas3.1.exeokkofadc.exe

pid process

1296 shelamas3.1.exe
1280 okkofadc.exe

pid	process
1280	okkofadc.exe
908	okkofadc.exe

pid	process
1296	shelamas3.1.exe
1280	okkofadc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

okkofadc.exeokkofadc.exeNAPSTAT.EXE

description	pid	process	target process
PID 1280 set thread context of 908	1280	okkofadc.exe	okkofadc.exe
PID 908 set thread context of 1252	908	okkofadc.exe	Explorer.EXE
PID 988 set thread context of 1252	988	NAPSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

okkofadc.exeNAPSTAT.EXE

pid	process
908	okkofadc.exe
908	okkofadc.exe
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE
988	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

okkofadc.exeokkofadc.exeNAPSTAT.EXE

pid process

1280 okkofadc.exe
908 okkofadc.exe
908 okkofadc.exe
908 okkofadc.exe
988 NAPSTAT.EXE
988 NAPSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

okkofadc.exeNAPSTAT.EXE

description pid process

Token: SeDebugPrivilege 908 okkofadc.exe
Token: SeDebugPrivilege 988 NAPSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE

pid	process
1252	Explorer.EXE

pid	process
1280	okkofadc.exe
908	okkofadc.exe
908	okkofadc.exe
908	okkofadc.exe
988	NAPSTAT.EXE
988	NAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	908	okkofadc.exe
Token: SeDebugPrivilege	988	NAPSTAT.EXE

pid	process
1252	Explorer.EXE
1252	Explorer.EXE

pid	process
1252	Explorer.EXE
1252	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

shelamas3.1.exeokkofadc.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 1296 wrote to memory of 1280	1296	shelamas3.1.exe	okkofadc.exe
PID 1296 wrote to memory of 1280	1296	shelamas3.1.exe	okkofadc.exe
PID 1296 wrote to memory of 1280	1296	shelamas3.1.exe	okkofadc.exe
PID 1296 wrote to memory of 1280	1296	shelamas3.1.exe	okkofadc.exe
PID 1280 wrote to memory of 908	1280	okkofadc.exe	okkofadc.exe
PID 1280 wrote to memory of 908	1280	okkofadc.exe	okkofadc.exe
PID 1280 wrote to memory of 908	1280	okkofadc.exe	okkofadc.exe
PID 1280 wrote to memory of 908	1280	okkofadc.exe	okkofadc.exe
PID 1280 wrote to memory of 908	1280	okkofadc.exe	okkofadc.exe
PID 1252 wrote to memory of 988	1252	Explorer.EXE	NAPSTAT.EXE
PID 1252 wrote to memory of 988	1252	Explorer.EXE	NAPSTAT.EXE
PID 1252 wrote to memory of 988	1252	Explorer.EXE	NAPSTAT.EXE
PID 1252 wrote to memory of 988	1252	Explorer.EXE	NAPSTAT.EXE
PID 988 wrote to memory of 1772	988	NAPSTAT.EXE	cmd.exe
PID 988 wrote to memory of 1772	988	NAPSTAT.EXE	cmd.exe
PID 988 wrote to memory of 1772	988	NAPSTAT.EXE	cmd.exe
PID 988 wrote to memory of 1772	988	NAPSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\shelamas3.1.exe
"C:\Users\Admin\AppData\Local\Temp\shelamas3.1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\okkofadc.exe
"C:\Users\Admin\AppData\Local\Temp\okkofadc.exe" C:\Users\Admin\AppData\Local\Temp\xhyjiy.m
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\okkofadc.exe
"C:\Users\Admin\AppData\Local\Temp\okkofadc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\okkofadc.exe"
3⤵
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\njxax.yfi
Filesize
185KB

MD5
fb30577d40cca07b0f963ab502e29e67

SHA1
648337acbbf654bde51db56bce0eeeb04b0d1ede

SHA256
24cf1f1d4fe2420ac79df368d25760da7557e1a2b006f006effb2c93f90a70af

SHA512
598a84eb62b7e191248ab6fbfa26903883ca84365b8112b4cb67de59c9e0c38a4a77a703d84763f9b97cfabe8c15f4f1c8d7417398b0cd08ef269f0225612134

Download Submit
C:\Users\Admin\AppData\Local\Temp\okkofadc.exe
Filesize
267KB

MD5
863b7a8eb137b0fd9a36296c249936a5

SHA1
e42b00e887f8303e19dfd9e6484150f9fccc6873

SHA256
0a8372ac64cf7348a7d146d500c6a05b888d7423959223aa8e4c3e3083694f15

SHA512
4682494dd04873ec102adec9831cafb932cbffb31054bf14ee3af9e4992513b4e0598e72be5ff1f6a3f8e84b89194290ced3cf3f11cde8700992de714cec7888

Download Submit
C:\Users\Admin\AppData\Local\Temp\okkofadc.exe
Filesize
267KB

MD5
863b7a8eb137b0fd9a36296c249936a5

SHA1
e42b00e887f8303e19dfd9e6484150f9fccc6873

SHA256
0a8372ac64cf7348a7d146d500c6a05b888d7423959223aa8e4c3e3083694f15

SHA512
4682494dd04873ec102adec9831cafb932cbffb31054bf14ee3af9e4992513b4e0598e72be5ff1f6a3f8e84b89194290ced3cf3f11cde8700992de714cec7888

Download Submit
C:\Users\Admin\AppData\Local\Temp\okkofadc.exe
Filesize
267KB

MD5
863b7a8eb137b0fd9a36296c249936a5

SHA1
e42b00e887f8303e19dfd9e6484150f9fccc6873

SHA256
0a8372ac64cf7348a7d146d500c6a05b888d7423959223aa8e4c3e3083694f15

SHA512
4682494dd04873ec102adec9831cafb932cbffb31054bf14ee3af9e4992513b4e0598e72be5ff1f6a3f8e84b89194290ced3cf3f11cde8700992de714cec7888

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhyjiy.m
Filesize
5KB

MD5
6944d66e289600d634edd3e655a5db7f

SHA1
f1b0afb77e54a2a00a9ed14d5f3aa4c2d9f4fb50

SHA256
8be7f4956d97276582a10a532e191b4cdab77e768bccf7979acf7533e2811f50

SHA512
5de4087a5f8e263325d0ba0c1336fcf20deeb0b607ec23ae9adfb540cea5ab3de5f8c5e6585f77c42ab88bc504019f95012d778fa4dca31646d77ddb13e458e5

Download Submit
\Users\Admin\AppData\Local\Temp\okkofadc.exe
Filesize
267KB

MD5
863b7a8eb137b0fd9a36296c249936a5

SHA1
e42b00e887f8303e19dfd9e6484150f9fccc6873

SHA256
0a8372ac64cf7348a7d146d500c6a05b888d7423959223aa8e4c3e3083694f15

SHA512
4682494dd04873ec102adec9831cafb932cbffb31054bf14ee3af9e4992513b4e0598e72be5ff1f6a3f8e84b89194290ced3cf3f11cde8700992de714cec7888

Download Submit
\Users\Admin\AppData\Local\Temp\okkofadc.exe
Filesize
267KB

MD5
863b7a8eb137b0fd9a36296c249936a5

SHA1
e42b00e887f8303e19dfd9e6484150f9fccc6873

SHA256
0a8372ac64cf7348a7d146d500c6a05b888d7423959223aa8e4c3e3083694f15

SHA512
4682494dd04873ec102adec9831cafb932cbffb31054bf14ee3af9e4992513b4e0598e72be5ff1f6a3f8e84b89194290ced3cf3f11cde8700992de714cec7888

Download Submit
memory/908-62-0x000000000041F100-mapping.dmp

Download
memory/908-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/908-65-0x0000000000C70000-0x0000000000F73000-memory.dmp

Filesize
3.0MB

Download
memory/908-66-0x00000000003A0000-0x00000000003B4000-memory.dmp

Filesize
80KB

Download
memory/988-71-0x0000000001F10000-0x0000000002213000-memory.dmp

Filesize
3.0MB

Download
memory/988-75-0x0000000000870000-0x0000000000903000-memory.dmp

Filesize
588KB

Download
memory/988-74-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download
memory/988-68-0x0000000000000000-mapping.dmp

Download
memory/988-69-0x0000000000930000-0x0000000000976000-memory.dmp

Filesize
280KB

Download
memory/988-70-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download
memory/1252-67-0x0000000006280000-0x000000000638A000-memory.dmp

Filesize
1.0MB

Download
memory/1252-73-0x0000000006280000-0x000000000638A000-memory.dmp

Filesize
1.0MB

Download
memory/1252-76-0x0000000006490000-0x000000000652B000-memory.dmp

Filesize
620KB

Download
memory/1252-77-0x0000000006490000-0x000000000652B000-memory.dmp

Filesize
620KB

Download
memory/1280-56-0x0000000000000000-mapping.dmp

Download
memory/1296-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1772-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads