formbook | 0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c

General

Target

0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe
Size

823KB
MD5

044b98a3ce8315a0b0cd8e7ebe61f7e0
SHA1

d350a93f2a44ca872e2efba0032eb33490c874c0
SHA256

0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c
SHA512

16f686455dda18b7c088dd06d7cbd6ed1efd7dd382f13c7e2fbc76e0d996b1525e8dc32d599fc1ff678661b8c96484196b33b731472134e93b6fceba673d9854

Score

10^/10

formbook persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

C2

http://www.nyoxibwer.com/a8c/

Decoy

kesslergroupinternational.net

elcarretazo.com

livbim.info

thamxop.net

abitur.expert

cidavidjoy.com

digitalkarwaan.com

hcave.com

foundbyjack.com

servicarpasjc.com

giaotrinh24h.com

ladasno.com

harrisxn.com

bestbtccasinos.info

australianflying.com

louboutinshoes.site

taohaomi.net

s5league-europe.com

lizhongysw.com

imizuspotsboxboxinggym.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1860-160-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/1460-167-0x0000000001110000-0x000000000113A000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

olefines.exe

pid process

3904 olefines.exe
Loads dropped DLL 1 IoCs

Processes:

olefines.exe

pid process

3904 olefines.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Q2O4ANLPQZC = "C:\\Program Files (x86)\\X2dpl\\autochkqpx4anh.exe"	wscript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cmd.exewscript.exe

description	pid	process	target process
PID 1860 set thread context of 3024	1860	cmd.exe	Explorer.EXE
PID 1460 set thread context of 3024	1460	wscript.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

wscript.exe

description ioc process

File opened for modification C:\Program Files (x86)\X2dpl\autochkqpx4anh.exe wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\X2dpl\autochkqpx4anh.exe	wscript.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wscript.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

olefines.execmd.exewscript.exe

pid	process
3904	olefines.exe
1860	cmd.exe
1860	cmd.exe
1860	cmd.exe
1860	cmd.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe
1460	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

olefines.execmd.exewscript.exe

pid process

3904 olefines.exe
1860 cmd.exe
1860 cmd.exe
1860 cmd.exe
1460 wscript.exe
1460 wscript.exe

pid	process
3024	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

cmd.exewscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1860	cmd.exe
Token: SeDebugPrivilege	1460	wscript.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE

pid	process
3024	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exeolefines.exe

description	pid	process	target process
PID 796 wrote to memory of 3904	796	0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe	olefines.exe
PID 796 wrote to memory of 3904	796	0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe	olefines.exe
PID 796 wrote to memory of 3904	796	0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe	olefines.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe
PID 3904 wrote to memory of 1860	3904	olefines.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3024

C:\Users\Admin\AppData\Local\Temp\0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe
"C:\Users\Admin\AppData\Local\Temp\0b36d66a0df438fbf3bc712b6c55d8aefa42139d4c95b92d7ca72e3cf8dedb7c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\olefines.exe
C:\Users\Admin\AppData\Local\Temp\olefines.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\cmd.exe"
3⤵
PID:3944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dozen
MD5
4437024fbfa38f88ae0247b4c6c58c80

SHA1
5519a4175ef6c9ce767957f55596091ddeded2bf

SHA256
9c0f71b2b57898daa3d0d39f6b889ef25c6d15aa78e34f74eb81ab3f62f40eda

SHA512
ba88a54cd078480ff89afa2eb5cb6a45d09d9131364b0c9bdfdbcb274da8451bf38108e05b4c8ca719b771a7da448dcd549d1fb6e7cd4c9ee5ba341dd3f36e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enceinte.DLL
MD5
8bbac2f79989d23de2d35d1520c3ec0a

SHA1
4e5f430b955b2111d8c2bf16cb79b6477aafff59

SHA256
9dc0ad7b6012c6bffb0fbf4dd0b0b8e5bdd3141d2e49ffbe2bbeedcd32986920

SHA512
41feba2345da830c61a05c4d699af979ccd7aa4038f3a71eb14864ec55aa21ca957e718bc0761e6f128d23e6cbd302ee6c29bd17ea2200a99d28b301b3e214d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\olefines.exe
MD5
8c235ee3054fe4c9d00cdb0c3d4e9929

SHA1
e9fd8fc10b228f7d5aab287d5ce9c4db45751150

SHA256
3782ed0bd78fc11425bde0de11aba62f2830bf3f34a956e1184cb5d225d94d50

SHA512
279952b634de755caee308fe33c1e5c695486e5ee32bcdc22d4116548d84e5d692017fc4378ad8062f17c497d0d6869b8f4d595f2a6c0ddbd5c6de5478af900f

Download Submit
C:\Users\Admin\AppData\Local\Temp\olefines.exe
MD5
8c235ee3054fe4c9d00cdb0c3d4e9929

SHA1
e9fd8fc10b228f7d5aab287d5ce9c4db45751150

SHA256
3782ed0bd78fc11425bde0de11aba62f2830bf3f34a956e1184cb5d225d94d50

SHA512
279952b634de755caee308fe33c1e5c695486e5ee32bcdc22d4116548d84e5d692017fc4378ad8062f17c497d0d6869b8f4d595f2a6c0ddbd5c6de5478af900f

Download Submit
C:\Users\Admin\AppData\Roaming\N4NA3DEA\N4Nlogim.jpeg
MD5
de70098ed1e126c6549cf8abdc887a2f

SHA1
cbcc222c1b047e980740a038a0cde60c648d89a7

SHA256
448a8d459d4b80f2f8b7841d4deb1bbbccdc5c23a71385258c74e9b32365cb68

SHA512
d8868e541ea0f25de46ee40eda7bef43e9e71663f8eb74b70ae34c7c6cc65ec949bb1ad82c9ea59ffed4f6367b38da4868c8b27b42e74f93a879300da5794554

Download Submit
C:\Users\Admin\AppData\Roaming\N4NA3DEA\N4Nlogri.ini
MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\N4NA3DEA\N4Nlogrv.ini
MD5
bbc41c78bae6c71e63cb544a6a284d94

SHA1
33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

SHA256
ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

SHA512
0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

Download Submit
\Users\Admin\AppData\Local\Temp\Enceinte.dll
MD5
8bbac2f79989d23de2d35d1520c3ec0a

SHA1
4e5f430b955b2111d8c2bf16cb79b6477aafff59

SHA256
9dc0ad7b6012c6bffb0fbf4dd0b0b8e5bdd3141d2e49ffbe2bbeedcd32986920

SHA512
41feba2345da830c61a05c4d699af979ccd7aa4038f3a71eb14864ec55aa21ca957e718bc0761e6f128d23e6cbd302ee6c29bd17ea2200a99d28b301b3e214d0

Download Submit
memory/1460-164-0x0000000000000000-mapping.dmp

Download
memory/1460-169-0x00000000051D0000-0x0000000005263000-memory.dmp

Filesize
588KB

Download
memory/1460-167-0x0000000001110000-0x000000000113A000-memory.dmp

Filesize
168KB

Download
memory/1460-165-0x00000000011C0000-0x00000000011E7000-memory.dmp

Filesize
156KB

Download
memory/1460-166-0x0000000005370000-0x0000000005690000-memory.dmp

Filesize
3.1MB

Download
memory/1860-140-0x00007FFAEC5A1000-0x00007FFAEC6AE7A3-memory.dmp

Filesize
1.1MB

Download
memory/1860-134-0x0000000003310000-0x0000000003316000-memory.dmp

Filesize
24KB

Download
memory/1860-161-0x0000000005C50000-0x0000000005F70000-memory.dmp

Filesize
3.1MB

Download
memory/1860-162-0x00000000056B0000-0x00000000056C4000-memory.dmp

Filesize
80KB

Download
memory/1860-160-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1860-127-0x0000000000000000-mapping.dmp

Download
memory/1860-135-0x00007FFAEC5A0000-0x00007FFAEC77B000-memory.dmp

Filesize
1.9MB

Download
memory/1860-128-0x00000000770D9000-0x00000000770D9005-memory.dmp

Filesize
5B

Download
memory/3024-163-0x0000000005E30000-0x0000000005F51000-memory.dmp

Filesize
1.1MB

Download
memory/3024-170-0x0000000002610000-0x00000000026C2000-memory.dmp

Filesize
712KB

Download
memory/3904-114-0x0000000000000000-mapping.dmp

Download
memory/3904-126-0x00007FFAEC5A0000-0x00007FFAEC77B000-memory.dmp

Filesize
1.9MB

Download
memory/3904-125-0x0000000074F20000-0x0000000074F87000-memory.dmp

Filesize
412KB

Download
memory/3904-124-0x0000000000AB0000-0x0000000000AB3000-memory.dmp

Filesize
12KB

Download
memory/3904-120-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/3944-168-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads