formbook | 7fa778a38b6adbec2ed8ca4e50d2971c4f135c1bf3b7c24a9adb8f86d3ad2ec5

General

Target

SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe
Size

684KB
MD5

0379ae001c1c573492d6691c94d2a540
SHA1

f92b3c78bb2170074ae40f92743432ef10d55f06
SHA256

7fa778a38b6adbec2ed8ca4e50d2971c4f135c1bf3b7c24a9adb8f86d3ad2ec5
SHA512

d1137357639c3c55460cde25047a4f9706c5ab6501b996cff0ffc30468d4f534da9433218d0a7a4b1c7c2badaf3e44e786443c0b9543b0cc7868f19d28257658
SSDEEP

12288:Zrl405A0lVmc7QFRj+ppGLVXcw1916s5cIGdbT0POkCU4H011Q+T3l+zj:BplVTE/9KC916s5cIMkCUFqC3wzj

Score

10^/10

formbook 4u5a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

4u5a

Decoy

Y9HWoINcPu0r7SSSKt4FCmk7

G/E64auYdhRQM4wZW2bcOaY=

bL57APty/StRpW49a+EdxA==

TppryJ0SoslHe8gJFVc=

HXxDShYIEcUJDahdv2nvl5Hlbp4=

EKaq5c6w0nV3WWlEqM4Www==

VM+YjE8XS1OLcH1roYF4zA==

OwK0wxmBGnq2Fg==

B1zy4bulyfY9tj9DK2eIkeYArpTt

Avj5JeA8m9girqfQ4+cZxA==

AOY4dmDFkCdX8HUJMw==

5cQUw3pPMYr07V8=

P7ZsN4/zt63AEw==

FYyVCOpB8Vl//kSkDLPo91Yy

jxwZTBp+5gcsccPxDF+K4bDG2Rpp0A==

iGx9AO58DRhZbXX9

prwVyLkAtlhSU6irmansg8wArpTt

uqa8ZPl+FFObOkdFNg==

tL4OhF22EDaEOkdFNg==

6exH76Z9o7eu/n86vgPE

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

cmstp.exe

flow pid process

7 292 cmstp.exe
Loads dropped DLL 1 IoCs

Processes:

cmstp.exe

pid process

292 cmstp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
7	292	cmstp.exe

pid	process
292	cmstp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exeCaspol.execmstp.exe

description	pid	process	target process
PID 1792 set thread context of 472	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe	Caspol.exe
PID 472 set thread context of 1228	472	Caspol.exe	Explorer.EXE
PID 292 set thread context of 1228	292	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exeCaspol.execmstp.exe

pid	process
1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe
472	Caspol.exe
472	Caspol.exe
472	Caspol.exe
472	Caspol.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Caspol.execmstp.exe

pid process

472 Caspol.exe
472 Caspol.exe
472 Caspol.exe
292 cmstp.exe
292 cmstp.exe
292 cmstp.exe
292 cmstp.exe

pid	process
1228	Explorer.EXE

pid	process
472	Caspol.exe
472	Caspol.exe
472	Caspol.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe
292	cmstp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exeCaspol.execmstp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe
Token: SeDebugPrivilege	472	Caspol.exe
Token: SeDebugPrivilege	292	cmstp.exe
Token: SeShutdownPrivilege	1228	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1792 wrote to memory of 700	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe	Caspol.exe
PID 1792 wrote to memory of 700	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe	Caspol.exe
PID 1792 wrote to memory of 700	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe	Caspol.exe
PID 1792 wrote to memory of 700	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe	Caspol.exe
PID 1792 wrote to memory of 472	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe	Caspol.exe
PID 1792 wrote to memory of 472	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe	Caspol.exe
PID 1792 wrote to memory of 472	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe	Caspol.exe
PID 1792 wrote to memory of 472	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe	Caspol.exe
PID 1792 wrote to memory of 472	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe	Caspol.exe
PID 1792 wrote to memory of 472	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe	Caspol.exe
PID 1792 wrote to memory of 472	1792	SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe	Caspol.exe
PID 1228 wrote to memory of 292	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 292	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 292	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 292	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 292	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 292	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 292	1228	Explorer.EXE	cmstp.exe
PID 292 wrote to memory of 1752	292	cmstp.exe	Firefox.exe
PID 292 wrote to memory of 1752	292	cmstp.exe	Firefox.exe
PID 292 wrote to memory of 1752	292	cmstp.exe	Firefox.exe
PID 292 wrote to memory of 1752	292	cmstp.exe	Firefox.exe
PID 292 wrote to memory of 1752	292	cmstp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:596

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:320

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1696

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2044

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:708

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1756

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1740

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1496

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1444

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:540

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1820

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1012

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
927KB

MD5
7fd80b1cc72dc580c02ca4cfbfb2592d

SHA1
18da905af878b27151b359cf1a7d0a650764e8a1

SHA256
1e6dccbdf8527abb53c289da920463b7895300d0d984cc7e91a3ecda4e673190

SHA512
13f7f29b5ed31c551aa5f27742557aa4d026a226087d6fcbca094819759ecc753a2c33b7422ae88dc6a4a0a966edb8485a18e59a0283ba2686cae5d78e0190a3

Download Submit
memory/292-68-0x0000000000000000-mapping.dmp

Download
memory/292-75-0x00000000000B0000-0x00000000000DD000-memory.dmp

Filesize
180KB

Download
memory/292-73-0x0000000001D90000-0x0000000001E1F000-memory.dmp

Filesize
572KB

Download
memory/292-72-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/292-71-0x00000000000B0000-0x00000000000DD000-memory.dmp

Filesize
180KB

Download
memory/292-70-0x0000000000050000-0x0000000000068000-memory.dmp

Filesize
96KB

Download
memory/292-69-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/472-60-0x00000000004012B0-mapping.dmp

Download
memory/472-56-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/472-66-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/472-57-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/472-64-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/472-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/472-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/472-65-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/472-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1228-74-0x0000000005070000-0x00000000051DE000-memory.dmp

Filesize
1.4MB

Download
memory/1228-67-0x0000000004C40000-0x0000000004D64000-memory.dmp

Filesize
1.1MB

Download
memory/1228-76-0x0000000005070000-0x00000000051DE000-memory.dmp

Filesize
1.4MB

Download
memory/1792-54-0x0000000000EB0000-0x0000000000F62000-memory.dmp

Filesize
712KB

Download
memory/1792-55-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads