formbook | 0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c

Analysis

max time kernel
153s
max time network
150s
platform
windows7_x64
resource
win7v20210408
submitted
04-05-2021 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe
Size

823KB
MD5

044b98a3ce8315a0b0cd8e7ebe61f7e0
SHA1

d350a93f2a44ca872e2efba0032eb33490c874c0
SHA256

0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c
SHA512

16f686455dda18b7c088dd06d7cbd6ed1efd7dd382f13c7e2fbc76e0d996b1525e8dc32d599fc1ff678661b8c96484196b33b731472134e93b6fceba673d9854

Score

10^/10

formbook persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

http://www.nyoxibwer.com/a8c/

Decoy

kesslergroupinternational.net

elcarretazo.com

livbim.info

thamxop.net

abitur.expert

cidavidjoy.com

digitalkarwaan.com

hcave.com

foundbyjack.com

servicarpasjc.com

giaotrinh24h.com

ladasno.com

harrisxn.com

bestbtccasinos.info

australianflying.com

louboutinshoes.site

taohaomi.net

s5league-europe.com

lizhongysw.com

imizuspotsboxboxinggym.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1200-84-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1200-85-0x0000000002D50000-0x000000000399A000-memory.dmp	formbook
behavioral1/memory/480-92-0x0000000000090000-0x00000000000BA000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

olefines.exe

pid process

1772 olefines.exe

Loads dropped DLL 3 IoCs

Processes:

0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exeolefines.exe

pid	process
1288	0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe
1288	0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe
1772	olefines.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cmmon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DRWTJREHF8 = "C:\\Program Files (x86)\\X6l6hzlrx\\certmgrmtqlr.exe"	cmmon32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

cmd.execmmon32.exe

description	pid	process	target process
PID 1200 set thread context of 1208	1200	cmd.exe	Explorer.EXE
PID 1200 set thread context of 1208	1200	cmd.exe	Explorer.EXE
PID 480 set thread context of 1208	480	cmmon32.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

cmmon32.exe

description ioc process

File opened for modification C:\Program Files (x86)\X6l6hzlrx\certmgrmtqlr.exe cmmon32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\X6l6hzlrx\certmgrmtqlr.exe	cmmon32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

olefines.execmd.execmmon32.exe

pid	process
1772	olefines.exe
1200	cmd.exe
1200	cmd.exe
1200	cmd.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe
480	cmmon32.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

olefines.execmd.execmmon32.exe

pid process

1772 olefines.exe
1200 cmd.exe
1200 cmd.exe
1200 cmd.exe
1200 cmd.exe
480 cmmon32.exe
480 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.execmmon32.exe

description pid process

Token: SeDebugPrivilege 1200 cmd.exe
Token: SeDebugPrivilege 480 cmmon32.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1200	cmd.exe
Token: SeDebugPrivilege	480	cmmon32.exe

pid	process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exeolefines.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1288 wrote to memory of 1772	1288	0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe	olefines.exe
PID 1288 wrote to memory of 1772	1288	0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe	olefines.exe
PID 1288 wrote to memory of 1772	1288	0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe	olefines.exe
PID 1288 wrote to memory of 1772	1288	0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe	olefines.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1772 wrote to memory of 1200	1772	olefines.exe	cmd.exe
PID 1208 wrote to memory of 480	1208	Explorer.EXE	cmmon32.exe
PID 1208 wrote to memory of 480	1208	Explorer.EXE	cmmon32.exe
PID 1208 wrote to memory of 480	1208	Explorer.EXE	cmmon32.exe
PID 1208 wrote to memory of 480	1208	Explorer.EXE	cmmon32.exe
PID 480 wrote to memory of 112	480	cmmon32.exe	cmd.exe
PID 480 wrote to memory of 112	480	cmmon32.exe	cmd.exe
PID 480 wrote to memory of 112	480	cmmon32.exe	cmd.exe
PID 480 wrote to memory of 112	480	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe
"C:\Users\Admin\AppData\Local\Temp\0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\olefines.exe
C:\Users\Admin\AppData\Local\Temp\olefines.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\cmd.exe"
3⤵
PID:112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dozen
MD5
4437024fbfa38f88ae0247b4c6c58c80

SHA1
5519a4175ef6c9ce767957f55596091ddeded2bf

SHA256
9c0f71b2b57898daa3d0d39f6b889ef25c6d15aa78e34f74eb81ab3f62f40eda

SHA512
ba88a54cd078480ff89afa2eb5cb6a45d09d9131364b0c9bdfdbcb274da8451bf38108e05b4c8ca719b771a7da448dcd549d1fb6e7cd4c9ee5ba341dd3f36e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enceinte.DLL
MD5
8bbac2f79989d23de2d35d1520c3ec0a

SHA1
4e5f430b955b2111d8c2bf16cb79b6477aafff59

SHA256
9dc0ad7b6012c6bffb0fbf4dd0b0b8e5bdd3141d2e49ffbe2bbeedcd32986920

SHA512
41feba2345da830c61a05c4d699af979ccd7aa4038f3a71eb14864ec55aa21ca957e718bc0761e6f128d23e6cbd302ee6c29bd17ea2200a99d28b301b3e214d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\olefines.exe
MD5
8c235ee3054fe4c9d00cdb0c3d4e9929

SHA1
e9fd8fc10b228f7d5aab287d5ce9c4db45751150

SHA256
3782ed0bd78fc11425bde0de11aba62f2830bf3f34a956e1184cb5d225d94d50

SHA512
279952b634de755caee308fe33c1e5c695486e5ee32bcdc22d4116548d84e5d692017fc4378ad8062f17c497d0d6869b8f4d595f2a6c0ddbd5c6de5478af900f

Download Submit
C:\Users\Admin\AppData\Roaming\N4NA3DEA\N4Nlogim.jpeg
MD5
2767b97fe36bd76c094cc792ede31beb

SHA1
f03beec33457e0f8b5be6945fd69e31e41ec916d

SHA256
ab2ed7197314fe1fd8d8737b11e708d84f7059a475e3af83d1033d97f58ad783

SHA512
915bb7420f354ad3921da2c7ef54c20f7d3c4b91f7a06ab553b8d6d5c51a163091b51f672d92b0bb9839bd6689a12271a1496285d0421894209fb5a6d5f0b887

Download Submit
C:\Users\Admin\AppData\Roaming\N4NA3DEA\N4Nlogri.ini
MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\N4NA3DEA\N4Nlogrv.ini
MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
\Users\Admin\AppData\Local\Temp\Enceinte.dll
MD5
8bbac2f79989d23de2d35d1520c3ec0a

SHA1
4e5f430b955b2111d8c2bf16cb79b6477aafff59

SHA256
9dc0ad7b6012c6bffb0fbf4dd0b0b8e5bdd3141d2e49ffbe2bbeedcd32986920

SHA512
41feba2345da830c61a05c4d699af979ccd7aa4038f3a71eb14864ec55aa21ca957e718bc0761e6f128d23e6cbd302ee6c29bd17ea2200a99d28b301b3e214d0

Download Submit
\Users\Admin\AppData\Local\Temp\olefines.exe
MD5
8c235ee3054fe4c9d00cdb0c3d4e9929

SHA1
e9fd8fc10b228f7d5aab287d5ce9c4db45751150

SHA256
3782ed0bd78fc11425bde0de11aba62f2830bf3f34a956e1184cb5d225d94d50

SHA512
279952b634de755caee308fe33c1e5c695486e5ee32bcdc22d4116548d84e5d692017fc4378ad8062f17c497d0d6869b8f4d595f2a6c0ddbd5c6de5478af900f

Download Submit
\Users\Admin\AppData\Local\Temp\olefines.exe
MD5
8c235ee3054fe4c9d00cdb0c3d4e9929

SHA1
e9fd8fc10b228f7d5aab287d5ce9c4db45751150

SHA256
3782ed0bd78fc11425bde0de11aba62f2830bf3f34a956e1184cb5d225d94d50

SHA512
279952b634de755caee308fe33c1e5c695486e5ee32bcdc22d4116548d84e5d692017fc4378ad8062f17c497d0d6869b8f4d595f2a6c0ddbd5c6de5478af900f

Download Submit
memory/112-93-0x0000000000000000-mapping.dmp

Download
memory/480-92-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download
memory/480-90-0x0000000000000000-mapping.dmp

Download
memory/480-95-0x0000000001CC0000-0x0000000001D53000-memory.dmp

Filesize
588KB

Download
memory/480-94-0x0000000001E60000-0x0000000002163000-memory.dmp

Filesize
3.0MB

Download
memory/480-91-0x0000000000080000-0x000000000008D000-memory.dmp

Filesize
52KB

Download
memory/1200-84-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1200-78-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/1200-86-0x0000000000370000-0x0000000000384000-memory.dmp

Filesize
80KB

Download
memory/1200-85-0x0000000002D50000-0x000000000399A000-memory.dmp

Filesize
12.3MB

Download
memory/1200-76-0x0000000000000000-mapping.dmp

Download
memory/1200-88-0x00000000003B0000-0x00000000003C4000-memory.dmp

Filesize
80KB

Download
memory/1200-77-0x0000000076E80000-0x0000000077029000-memory.dmp

Filesize
1.7MB

Download
memory/1200-79-0x0000000076E81000-0x0000000076F8127A-memory.dmp

Filesize
1.0MB

Download
memory/1208-96-0x0000000008120000-0x000000000828F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-89-0x00000000075E0000-0x0000000007745000-memory.dmp

Filesize
1.4MB

Download
memory/1208-87-0x0000000003F10000-0x0000000004053000-memory.dmp

Filesize
1.3MB

Download
memory/1288-60-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1772-74-0x0000000076C20000-0x0000000076C55000-memory.dmp

Filesize
212KB

Download
memory/1772-75-0x0000000076E80000-0x0000000077029000-memory.dmp

Filesize
1.7MB

Download
memory/1772-72-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1772-68-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/1772-63-0x0000000000000000-mapping.dmp

Download