formbook | 7a1545afc398e83882ebf804bf3849579356e36e70a0acfac0c8962218171645

General

Target

SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe
Size

1.2MB
MD5

2f34f1cd493828d80ab5f2473c37e159
SHA1

55d9656261db2239ad238a996f2d7ea6a940d89e
SHA256

7a1545afc398e83882ebf804bf3849579356e36e70a0acfac0c8962218171645
SHA512

4a10fb7ecb7ed65ef6e5defd1a3425df448305bbd6f63830ac8d399bf60cc9977f0bbf71e2c5de7060b2f722f9b80bdbad6ab9da07c729fad40bb4535deb13d1
SSDEEP

24576:94QZCt1v7TYTQON65BQ1qso4UhdND3we8MmsCKaWy:94z1QTe5BAjiNLDe+

Score

10^/10

formbook dj6o rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dj6o

Decoy

eHTcR+KSbIHKrEJYcaqomJrw

d4CQy4B84xPiXuPwHUtF

8eIkbHEq+BPxberwHUtF

m0+kGJZPG1H1jgngcA==

AMbXEsJxX4/J80MD

cxBd6axquGelQQc=

J9URjF0q/TbJ80MD

HxxYujs6bp7dberwHUtF

VhwjWCuW1Xau

Hs4ZrXYwBycFVX7hJpekXd1oRg==

XyAqZOXgWECQBQ==

H+HaBrNXMlQ5j+GkDTwf7dEalRSG8g==

Kvj6PwPvL2f1jgngcA==

q3F0mzHxjbyi

G/sniBrf1waZ08/yTxyN8qLm

9uD0ZBYgb5ZiuP3wHUtF

Ndkqiyj14RhyZziD6WwV4O8=

PuY9wEs6hMAOTUs2mUCtdjzUeRyb+A==

PwsHXAKokKjJ80MD

xa4YnG9AI0WKthDfFO0=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	992	cmstp.exe

Loads dropped DLL 1 IoCs

pid	Process
992	cmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 1804	1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe	26
PID 1804 set thread context of 1396	1804	RegSvcs.exe	15
PID 992 set thread context of 1396	992	cmstp.exe	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1804	RegSvcs.exe
1804	RegSvcs.exe
1804	RegSvcs.exe
1804	RegSvcs.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1804	RegSvcs.exe
1804	RegSvcs.exe
1804	RegSvcs.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe
992	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	RegSvcs.exe
Token: SeDebugPrivilege	992	cmstp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe
1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1804	1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe	26
PID 1388 wrote to memory of 1804	1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe	26
PID 1388 wrote to memory of 1804	1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe	26
PID 1388 wrote to memory of 1804	1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe	26
PID 1388 wrote to memory of 1804	1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe	26
PID 1388 wrote to memory of 1804	1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe	26
PID 1388 wrote to memory of 1804	1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe	26
PID 1388 wrote to memory of 1804	1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe	26
PID 1388 wrote to memory of 1804	1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe	26
PID 1388 wrote to memory of 1804	1388	SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe	26
PID 1396 wrote to memory of 992	1396	Explorer.EXE	27
PID 1396 wrote to memory of 992	1396	Explorer.EXE	27
PID 1396 wrote to memory of 992	1396	Explorer.EXE	27
PID 1396 wrote to memory of 992	1396	Explorer.EXE	27
PID 1396 wrote to memory of 992	1396	Explorer.EXE	27
PID 1396 wrote to memory of 992	1396	Explorer.EXE	27
PID 1396 wrote to memory of 992	1396	Explorer.EXE	27
PID 992 wrote to memory of 1320	992	cmstp.exe	30
PID 992 wrote to memory of 1320	992	cmstp.exe	30
PID 992 wrote to memory of 1320	992	cmstp.exe	30
PID 992 wrote to memory of 1320	992	cmstp.exe	30
PID 992 wrote to memory of 1320	992	cmstp.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Olock.1.13406.20665.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
910KB

MD5
d79258c5189103d69502eac786addb04

SHA1
f34b33681cfe8ce649218173a7f58b237821c1ef

SHA256
57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

SHA512
da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

Download Submit
memory/992-80-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/992-75-0x0000000000AC0000-0x0000000000AD8000-memory.dmp

Filesize
96KB

Download
memory/992-76-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/992-77-0x0000000001EE0000-0x00000000021E3000-memory.dmp

Filesize
3.0MB

Download
memory/992-78-0x00000000008D0000-0x000000000095F000-memory.dmp

Filesize
572KB

Download
memory/1388-54-0x0000000000F90000-0x00000000010C8000-memory.dmp

Filesize
1.2MB

Download
memory/1388-58-0x0000000006080000-0x000000000612A000-memory.dmp

Filesize
680KB

Download
memory/1388-57-0x0000000008030000-0x000000000812E000-memory.dmp

Filesize
1016KB

Download
memory/1388-56-0x0000000000310000-0x0000000000330000-memory.dmp

Filesize
128KB

Download
memory/1388-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1396-81-0x0000000006C80000-0x0000000006E01000-memory.dmp

Filesize
1.5MB

Download
memory/1396-79-0x0000000006C80000-0x0000000006E01000-memory.dmp

Filesize
1.5MB

Download
memory/1396-70-0x00000000065A0000-0x0000000006694000-memory.dmp

Filesize
976KB

Download
memory/1804-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-73-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1804-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-69-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/1804-68-0x0000000000960000-0x0000000000C63000-memory.dmp

Filesize
3.0MB

Download
memory/1804-66-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1804-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing