formbook | 8c86c2c68e14eef2ac6a63da35633b309ef75e7f818a6bf935e56471ed5dae53

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c86c2c68e14eef2ac6a63da35633b309ef75e7f818a6bf935e56471ed5dae53.exe
Size

384KB
MD5

ea0406dc2d0cfd68f8620e462406a819
SHA1

aca8beb5b8055efb907e600f0ac51160aee5a548
SHA256

8c86c2c68e14eef2ac6a63da35633b309ef75e7f818a6bf935e56471ed5dae53
SHA512

34c8d16d7a1e54d81eec84c4b4e9bb3b11388bf97317b6d1d0eb396534497c6d490fd43f75c83fde87b7d8aac307fa98b874686a4d42273e20a708f1cc8b24aa
SSDEEP

6144:jYa6yIgee0WsmHcrkflbDpIHTsxLB047a/wlz9POTaZX7UWzkaJqxB:jY1gAFmHc6YgHh7a+pOmX7UyI

Score

10^/10

formbook dcn0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Executes dropped EXE 2 IoCs

pid	Process
5076	akkanx.exe
3752	akkanx.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\International\Geo\Nation	akkanx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5076 set thread context of 3752	5076	akkanx.exe	67
PID 3752 set thread context of 2588	3752	akkanx.exe	45
PID 3752 set thread context of 2588	3752	akkanx.exe	45
PID 3612 set thread context of 2588	3612	rundll32.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2368682536-4045190062-1465778271-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
3752	akkanx.exe
3752	akkanx.exe
3752	akkanx.exe
3752	akkanx.exe
3752	akkanx.exe
3752	akkanx.exe
3752	akkanx.exe
3752	akkanx.exe
3752	akkanx.exe
3752	akkanx.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2588	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
5076	akkanx.exe
3752	akkanx.exe
3752	akkanx.exe
3752	akkanx.exe
3752	akkanx.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3752	akkanx.exe
Token: SeDebugPrivilege	3612	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 5076	4556	8c86c2c68e14eef2ac6a63da35633b309ef75e7f818a6bf935e56471ed5dae53.exe	66
PID 4556 wrote to memory of 5076	4556	8c86c2c68e14eef2ac6a63da35633b309ef75e7f818a6bf935e56471ed5dae53.exe	66
PID 4556 wrote to memory of 5076	4556	8c86c2c68e14eef2ac6a63da35633b309ef75e7f818a6bf935e56471ed5dae53.exe	66
PID 5076 wrote to memory of 3752	5076	akkanx.exe	67
PID 5076 wrote to memory of 3752	5076	akkanx.exe	67
PID 5076 wrote to memory of 3752	5076	akkanx.exe	67
PID 5076 wrote to memory of 3752	5076	akkanx.exe	67
PID 2588 wrote to memory of 3612	2588	Explorer.EXE	75
PID 2588 wrote to memory of 3612	2588	Explorer.EXE	75
PID 2588 wrote to memory of 3612	2588	Explorer.EXE	75
PID 3612 wrote to memory of 3872	3612	rundll32.exe	76
PID 3612 wrote to memory of 3872	3612	rundll32.exe	76
PID 3612 wrote to memory of 3872	3612	rundll32.exe	76

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\8c86c2c68e14eef2ac6a63da35633b309ef75e7f818a6bf935e56471ed5dae53.exe
  "C:\Users\Admin\AppData\Local\Temp\8c86c2c68e14eef2ac6a63da35633b309ef75e7f818a6bf935e56471ed5dae53.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\akkanx.exe
    "C:\Users\Admin\AppData\Local\Temp\akkanx.exe" C:\Users\Admin\AppData\Local\Temp\ahwtz.xjg
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\akkanx.exe
      "C:\Users\Admin\AppData\Local\Temp\akkanx.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3752
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:788
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:724
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2232
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:3600
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:4164
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:4600
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:4092
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahwtz.xjg

Filesize
5KB

MD5
e21a458c40ba22c4746b345833cdcbdd

SHA1
4555a123e02016365bfd5a374de0a46dccaea941

SHA256
6ec6db92f2f9a6dd086ea48c27b968c7dcea301fb10f8c64bd1f7f1dfea4a1d0

SHA512
b037022455023f6d054750f7618b57a5377d9213343d60352ae1fbb70378b815f5535f741cc84e1e893e9a8ad96ee01e6ab84606cec051cac56225767b8139e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\akkanx.exe

Filesize
164KB

MD5
651b274ea722073d52880756eea7b1d6

SHA1
7300446a518a72f4de47a645d215e1e7400f1c8d

SHA256
4572b1741580ad35120a9ca45081d8e4ef67bb46693174a825246fc9b5ba439c

SHA512
d2c3a71bb1a0b1f0ebc9d913039e6ca473ffef31e32dd18c63adc334742f735f401555cc2cb57ae658de1f75612fb09d4dc40d9e021dd907105d0868126931dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\akkanx.exe

Filesize
164KB

MD5
651b274ea722073d52880756eea7b1d6

SHA1
7300446a518a72f4de47a645d215e1e7400f1c8d

SHA256
4572b1741580ad35120a9ca45081d8e4ef67bb46693174a825246fc9b5ba439c

SHA512
d2c3a71bb1a0b1f0ebc9d913039e6ca473ffef31e32dd18c63adc334742f735f401555cc2cb57ae658de1f75612fb09d4dc40d9e021dd907105d0868126931dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\akkanx.exe

Filesize
164KB

MD5
651b274ea722073d52880756eea7b1d6

SHA1
7300446a518a72f4de47a645d215e1e7400f1c8d

SHA256
4572b1741580ad35120a9ca45081d8e4ef67bb46693174a825246fc9b5ba439c

SHA512
d2c3a71bb1a0b1f0ebc9d913039e6ca473ffef31e32dd18c63adc334742f735f401555cc2cb57ae658de1f75612fb09d4dc40d9e021dd907105d0868126931dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvybhxqdmg.qch

Filesize
205KB

MD5
2f5e0c99cc829a9cd25c45366fe4361f

SHA1
f01cab1b19aa2e9487c8b239e9b9cb4d0ae29b47

SHA256
0fee83456c02bfee1af6abe979ee8643b0e3b4a668624f9198785361432c7804

SHA512
6f9018b0c6cbb66764a7fa334ec6217ff96f2ef68583536c85c7660e1e975d4648c734f02937dc4812362eef8b1216265aefb4f09f78397710e2249e00c5299c

Download Submit
memory/2588-235-0x0000000003110000-0x00000000031DF000-memory.dmp

Filesize
828KB

Download
memory/2588-309-0x0000000004FB0000-0x0000000005069000-memory.dmp

Filesize
740KB

Download
memory/2588-283-0x0000000004FB0000-0x0000000005069000-memory.dmp

Filesize
740KB

Download
memory/2588-232-0x00000000069C0000-0x0000000006B4E000-memory.dmp

Filesize
1.6MB

Download
memory/3612-280-0x0000000004E80000-0x00000000051A0000-memory.dmp

Filesize
3.1MB

Download
memory/3612-279-0x0000000002D00000-0x0000000002D2D000-memory.dmp

Filesize
180KB

Download
memory/3612-308-0x0000000004B40000-0x0000000004CD9000-memory.dmp

Filesize
1.6MB

Download
memory/3612-284-0x0000000002D00000-0x0000000002D2D000-memory.dmp

Filesize
180KB

Download
memory/3612-282-0x0000000004B40000-0x0000000004CD9000-memory.dmp

Filesize
1.6MB

Download
memory/3612-278-0x0000000000C50000-0x0000000000C63000-memory.dmp

Filesize
76KB

Download
memory/3752-233-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/3752-230-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/3752-220-0x0000000001840000-0x0000000001B60000-memory.dmp

Filesize
3.1MB

Download
memory/3752-217-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3752-215-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3752-231-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/3752-239-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3752-234-0x0000000001510000-0x000000000169D000-memory.dmp

Filesize
1.6MB

Download
memory/3752-237-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4556-163-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-133-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-145-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-146-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-147-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-148-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-149-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-150-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-151-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-152-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-153-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-154-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-155-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-156-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-157-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-158-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-159-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-160-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-117-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-162-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-161-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-118-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-119-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-120-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-121-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-122-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-143-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-123-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-124-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-142-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-125-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-126-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-127-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-128-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-129-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-130-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-131-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-132-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-144-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-134-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-135-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-141-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-140-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-139-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-138-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-137-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-136-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-175-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-180-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-174-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-171-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-176-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-179-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-178-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-177-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-182-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-181-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-172-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-170-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-166-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-169-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-168-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-167-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/5076-183-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download