formbook | 441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2

General

Target

441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
Size

620KB
MD5

d5242869385cc6f80a3573f30969d32e
SHA1

804b91d679866e9c9a8f84abdc203aa5ac6069ef
SHA256

441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2
SHA512

4aa4622bf2d4e23a46ffaa47e7e984afacba5a3bcbcfc872c85b9a5d38e962b2bd59870fedf81375ceb1eb87f493e0079ad0925beccaf50d63e7c30ccfda0a74

Score

10^/10

formbook lokibot ra collection rat spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://strutitinca.ro/ftp/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Version

3.8

Campaign

ra

Decoy

bee-control.com

profilepaytren.com

hirntod.info

foxrivrefiber.com

redesignmind.com

prowikileaks.com

jeni86.win

franzzegarra.com

veruredrfygj.win

youzhongla.com

mynastudios.com

stop-r.net

pet-dress.com

beautiies.com

aminooctane.com

studiostraccio.com

jiazhengkj.com

itufq.info

ssco2203.com

bollywoodmoviedance.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1140-62-0x0000000000000000-mapping.dmp	formbook
behavioral1/memory/1140-66-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

Nass.exe

pid process

1100 Nass.exe

pid	process
1100	Nass.exe

Loads dropped DLL 2 IoCs

Processes:

441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe

pid	process
272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Nass.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Nass.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Nass.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Nass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe

pid process

1140 441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Nass.exe

description pid process

Token: SeDebugPrivilege 1100 Nass.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe

pid process

272 441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe

pid	process
1140	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe

description	pid	process
Token: SeDebugPrivilege	1100	Nass.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe

outlook_office_path 1 IoCs

Processes:

Nass.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Nass.exe

outlook_win_path 1 IoCs

Processes:

Nass.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Nass.exe

C:\Users\Admin\AppData\Local\Temp\441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
"C:\Users\Admin\AppData\Local\Temp\441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:272
- C:\Users\Admin\AppData\Local\Temp\Nass.exe
  "C:\Users\Admin\AppData\Local\Temp\Nass.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
  "C:\Users\Admin\AppData\Local\Temp\441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nass.exe

Filesize
104KB

MD5
c9bf989640132ea2f2d56816fae1e6cf

SHA1
143764d64c923873c06908744d037618791cec73

SHA256
696bb2ba51caa1af61cc8fb9c0fb96e2256549f7427f6b44d8af46f03957e2c5

SHA512
409891ff65d28dba4766ea0cd0e624225cbddfa6f0cab35fa51036c77999a4246afe629f0a2bb855ba4850cd10ca9130e05e588730d74a5ebc039218e3a1ee2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nass.exe

Filesize
104KB

MD5
c9bf989640132ea2f2d56816fae1e6cf

SHA1
143764d64c923873c06908744d037618791cec73

SHA256
696bb2ba51caa1af61cc8fb9c0fb96e2256549f7427f6b44d8af46f03957e2c5

SHA512
409891ff65d28dba4766ea0cd0e624225cbddfa6f0cab35fa51036c77999a4246afe629f0a2bb855ba4850cd10ca9130e05e588730d74a5ebc039218e3a1ee2b

Download Submit
\Users\Admin\AppData\Local\Temp\Nass.exe

Filesize
104KB

MD5
c9bf989640132ea2f2d56816fae1e6cf

SHA1
143764d64c923873c06908744d037618791cec73

SHA256
696bb2ba51caa1af61cc8fb9c0fb96e2256549f7427f6b44d8af46f03957e2c5

SHA512
409891ff65d28dba4766ea0cd0e624225cbddfa6f0cab35fa51036c77999a4246afe629f0a2bb855ba4850cd10ca9130e05e588730d74a5ebc039218e3a1ee2b

Download Submit
\Users\Admin\AppData\Local\Temp\Nass.exe

Filesize
104KB

MD5
c9bf989640132ea2f2d56816fae1e6cf

SHA1
143764d64c923873c06908744d037618791cec73

SHA256
696bb2ba51caa1af61cc8fb9c0fb96e2256549f7427f6b44d8af46f03957e2c5

SHA512
409891ff65d28dba4766ea0cd0e624225cbddfa6f0cab35fa51036c77999a4246afe629f0a2bb855ba4850cd10ca9130e05e588730d74a5ebc039218e3a1ee2b

Download Submit
memory/272-56-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/272-57-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/272-64-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1100-60-0x0000000000000000-mapping.dmp

Download
memory/1140-62-0x0000000000000000-mapping.dmp

Download
memory/1140-65-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download
memory/1140-66-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

description	pid	process	target process
PID 272 wrote to memory of 1100	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	Nass.exe
PID 272 wrote to memory of 1100	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	Nass.exe
PID 272 wrote to memory of 1100	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	Nass.exe
PID 272 wrote to memory of 1100	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	Nass.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
PID 272 wrote to memory of 1140	272	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe	441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads