formbook | 037d18a0489c63d5d9ba87f8ea9652c511df0787eb9d8fe361cfab7f93e03582

General

Target

shelamas3.1.exe
Size

511KB
MD5

7994c54a4717446039c90d9f5e63d4ce
SHA1

18f5bc70c635da9b95e47898f0313758e225a380
SHA256

037d18a0489c63d5d9ba87f8ea9652c511df0787eb9d8fe361cfab7f93e03582
SHA512

69dc8129beeb15632ea7ea8c63d95bd1a08c8fb3aaacf7344d3ec01bd9efd9f5e6f4dd9e540c159c83a25bcf0003caa57ed944351e6a20c769e124302a0ea5af
SSDEEP

12288:nEUfI55vi6nBA+FrSbH/PJ8jevCPyyYmYj:npYnnBA+FG7/h8jeKPtYtj

Score

10^/10

formbook sk19 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk19

Decoy

21diasdegratitud.com

kx1993.com

chasergt.com

837news.com

naturagent.co.uk

gatorinsurtech.com

iyaboolashilesblog.africa

jamtanganmurah.online

gguminsa.com

lilliesdrop.com

lenvera.com

link48.co.uk

azinos777.fun

lgcdct.cfd

bg-gobtc.com

livecarrer.uk

cbq4u.com

imalreadygone.com

wabeng.africa

jxmheiyouyuetot.tokyo

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2440-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2440-145-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3436-149-0x0000000000500000-0x000000000052F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

okkofadc.exeokkofadc.exe

pid process

4420 okkofadc.exe
2440 okkofadc.exe

pid	process
4420	okkofadc.exe
2440	okkofadc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

okkofadc.exeokkofadc.execontrol.exe

description	pid	process	target process
PID 4420 set thread context of 2440	4420	okkofadc.exe	okkofadc.exe
PID 2440 set thread context of 2724	2440	okkofadc.exe	Explorer.EXE
PID 2440 set thread context of 2724	2440	okkofadc.exe	Explorer.EXE
PID 3436 set thread context of 2724	3436	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

okkofadc.execontrol.exe

pid	process
2440	okkofadc.exe
2440	okkofadc.exe
2440	okkofadc.exe
2440	okkofadc.exe
2440	okkofadc.exe
2440	okkofadc.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe
3436	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2724 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

okkofadc.exeokkofadc.execontrol.exe

pid process

4420 okkofadc.exe
2440 okkofadc.exe
2440 okkofadc.exe
2440 okkofadc.exe
2440 okkofadc.exe
3436 control.exe
3436 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

okkofadc.execontrol.exe

description pid process

Token: SeDebugPrivilege 2440 okkofadc.exe
Token: SeDebugPrivilege 3436 control.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2724 Explorer.EXE

pid	process
2724	Explorer.EXE

pid	process
4420	okkofadc.exe
2440	okkofadc.exe
2440	okkofadc.exe
2440	okkofadc.exe
2440	okkofadc.exe
3436	control.exe
3436	control.exe

description	pid	process
Token: SeDebugPrivilege	2440	okkofadc.exe
Token: SeDebugPrivilege	3436	control.exe

pid	process
2724	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

shelamas3.1.exeokkofadc.exeokkofadc.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 4192 wrote to memory of 4420	4192	shelamas3.1.exe	okkofadc.exe
PID 4192 wrote to memory of 4420	4192	shelamas3.1.exe	okkofadc.exe
PID 4192 wrote to memory of 4420	4192	shelamas3.1.exe	okkofadc.exe
PID 4420 wrote to memory of 2440	4420	okkofadc.exe	okkofadc.exe
PID 4420 wrote to memory of 2440	4420	okkofadc.exe	okkofadc.exe
PID 4420 wrote to memory of 2440	4420	okkofadc.exe	okkofadc.exe
PID 4420 wrote to memory of 2440	4420	okkofadc.exe	okkofadc.exe
PID 2440 wrote to memory of 3436	2440	okkofadc.exe	control.exe
PID 2440 wrote to memory of 3436	2440	okkofadc.exe	control.exe
PID 2440 wrote to memory of 3436	2440	okkofadc.exe	control.exe
PID 2724 wrote to memory of 4756	2724	Explorer.EXE	WWAHost.exe
PID 2724 wrote to memory of 4756	2724	Explorer.EXE	WWAHost.exe
PID 2724 wrote to memory of 4756	2724	Explorer.EXE	WWAHost.exe
PID 3436 wrote to memory of 4472	3436	control.exe	cmd.exe
PID 3436 wrote to memory of 4472	3436	control.exe	cmd.exe
PID 3436 wrote to memory of 4472	3436	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\shelamas3.1.exe
"C:\Users\Admin\AppData\Local\Temp\shelamas3.1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\okkofadc.exe
"C:\Users\Admin\AppData\Local\Temp\okkofadc.exe" C:\Users\Admin\AppData\Local\Temp\xhyjiy.m
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4420

C:\Users\Admin\AppData\Local\Temp\okkofadc.exe
"C:\Users\Admin\AppData\Local\Temp\okkofadc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\okkofadc.exe"
6⤵
PID:4472

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3080

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
PID:4756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\njxax.yfi
Filesize
185KB

MD5
fb30577d40cca07b0f963ab502e29e67

SHA1
648337acbbf654bde51db56bce0eeeb04b0d1ede

SHA256
24cf1f1d4fe2420ac79df368d25760da7557e1a2b006f006effb2c93f90a70af

SHA512
598a84eb62b7e191248ab6fbfa26903883ca84365b8112b4cb67de59c9e0c38a4a77a703d84763f9b97cfabe8c15f4f1c8d7417398b0cd08ef269f0225612134

Download Submit
C:\Users\Admin\AppData\Local\Temp\okkofadc.exe
Filesize
267KB

MD5
863b7a8eb137b0fd9a36296c249936a5

SHA1
e42b00e887f8303e19dfd9e6484150f9fccc6873

SHA256
0a8372ac64cf7348a7d146d500c6a05b888d7423959223aa8e4c3e3083694f15

SHA512
4682494dd04873ec102adec9831cafb932cbffb31054bf14ee3af9e4992513b4e0598e72be5ff1f6a3f8e84b89194290ced3cf3f11cde8700992de714cec7888

Download Submit
C:\Users\Admin\AppData\Local\Temp\okkofadc.exe
Filesize
267KB

MD5
863b7a8eb137b0fd9a36296c249936a5

SHA1
e42b00e887f8303e19dfd9e6484150f9fccc6873

SHA256
0a8372ac64cf7348a7d146d500c6a05b888d7423959223aa8e4c3e3083694f15

SHA512
4682494dd04873ec102adec9831cafb932cbffb31054bf14ee3af9e4992513b4e0598e72be5ff1f6a3f8e84b89194290ced3cf3f11cde8700992de714cec7888

Download Submit
C:\Users\Admin\AppData\Local\Temp\okkofadc.exe
Filesize
267KB

MD5
863b7a8eb137b0fd9a36296c249936a5

SHA1
e42b00e887f8303e19dfd9e6484150f9fccc6873

SHA256
0a8372ac64cf7348a7d146d500c6a05b888d7423959223aa8e4c3e3083694f15

SHA512
4682494dd04873ec102adec9831cafb932cbffb31054bf14ee3af9e4992513b4e0598e72be5ff1f6a3f8e84b89194290ced3cf3f11cde8700992de714cec7888

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhyjiy.m
Filesize
5KB

MD5
6944d66e289600d634edd3e655a5db7f

SHA1
f1b0afb77e54a2a00a9ed14d5f3aa4c2d9f4fb50

SHA256
8be7f4956d97276582a10a532e191b4cdab77e768bccf7979acf7533e2811f50

SHA512
5de4087a5f8e263325d0ba0c1336fcf20deeb0b607ec23ae9adfb540cea5ab3de5f8c5e6585f77c42ab88bc504019f95012d778fa4dca31646d77ddb13e458e5

Download Submit
memory/2440-143-0x0000000003000000-0x0000000003014000-memory.dmp

Filesize
80KB

Download
memory/2440-137-0x0000000000000000-mapping.dmp

Download
memory/2440-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-140-0x0000000001510000-0x000000000185A000-memory.dmp

Filesize
3.3MB

Download
memory/2440-141-0x00000000013E0000-0x00000000013F4000-memory.dmp

Filesize
80KB

Download
memory/2440-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-142-0x0000000008C90000-0x0000000008D7C000-memory.dmp

Filesize
944KB

Download
memory/2724-144-0x00000000084B0000-0x0000000008583000-memory.dmp

Filesize
844KB

Download
memory/2724-146-0x0000000008C90000-0x0000000008D7C000-memory.dmp

Filesize
944KB

Download
memory/2724-153-0x0000000003240000-0x00000000032E8000-memory.dmp

Filesize
672KB

Download
memory/2724-154-0x0000000003240000-0x00000000032E8000-memory.dmp

Filesize
672KB

Download
memory/3436-147-0x0000000000000000-mapping.dmp

Download
memory/3436-148-0x0000000000C30000-0x0000000000C57000-memory.dmp

Filesize
156KB

Download
memory/3436-149-0x0000000000500000-0x000000000052F000-memory.dmp

Filesize
188KB

Download
memory/3436-150-0x00000000023D0000-0x000000000271A000-memory.dmp

Filesize
3.3MB

Download
memory/3436-152-0x0000000002240000-0x00000000022D3000-memory.dmp

Filesize
588KB

Download
memory/4420-132-0x0000000000000000-mapping.dmp

Download
memory/4472-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads