formbook | a61da3e0802d4f580e033d44596b0c0cb812c80e0d449d3f427d0e71e2c5f14b

General

Target

Sorğu HA-22-28199 22-077.exe
Size

554KB
MD5

ffff0c7d3139145648b89f27dc829e64
SHA1

22142740d3c5f611a8e4487b4f3da05a25b51b23
SHA256

a61da3e0802d4f580e033d44596b0c0cb812c80e0d449d3f427d0e71e2c5f14b
SHA512

20f70410951d074fb19da6e7a8f870f10e11f46386d9ac6215a27f1338530af658e66a9ab86f9832edfcc67e25e4fe5b7bd89ee79edd8803e53bb5cde300d220
SSDEEP

12288:IAVDQ3G17O3qhW8JnD676LkHSS+dJQqhqW8tbVpjLc:2Z8o76LkL+dWiqWKn

Score

10^/10

formbook urde rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

urde

Decoy

belleriacortland.com

gxzyykx.com

blocksholding.net

zhangjiyuan.com

tyfinck.com

xn--v9s.club

xn--72c9at8ec1l.com

dorismart.online

nocodeuni.com

hmmprocesos.website

quartile.agency

iansdogname.com

karengillen.com

the-bitindexprime.info

nthanisolutions.com

nakamu.online

sahityanepal.com

sinwinindustry.com

shotblastwearingparts.com

nstsuccess.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/796-134-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/796-135-0x000000000041F140-mapping.dmp	formbook
behavioral2/memory/796-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2132-145-0x00000000001A0000-0x00000000001CF000-memory.dmp	formbook
behavioral2/memory/2132-149-0x00000000001A0000-0x00000000001CF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Sorğu HA-22-28199 22-077.exeCasPol.exemsiexec.exe

description	pid	process	target process
PID 4904 set thread context of 796	4904	Sorğu HA-22-28199 22-077.exe	CasPol.exe
PID 796 set thread context of 2948	796	CasPol.exe	Explorer.EXE
PID 2132 set thread context of 2948	2132	msiexec.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

CasPol.exemsiexec.exe

pid	process
796	CasPol.exe
796	CasPol.exe
796	CasPol.exe
796	CasPol.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe
2132	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2948 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

CasPol.exemsiexec.exe

pid process

796 CasPol.exe
796 CasPol.exe
796 CasPol.exe
2132 msiexec.exe
2132 msiexec.exe

pid	process
2948	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

CasPol.exemsiexec.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	796	CasPol.exe
Token: SeDebugPrivilege	2132	msiexec.exe
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Sorğu HA-22-28199 22-077.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 4904 wrote to memory of 796	4904	Sorğu HA-22-28199 22-077.exe	CasPol.exe
PID 4904 wrote to memory of 796	4904	Sorğu HA-22-28199 22-077.exe	CasPol.exe
PID 4904 wrote to memory of 796	4904	Sorğu HA-22-28199 22-077.exe	CasPol.exe
PID 4904 wrote to memory of 796	4904	Sorğu HA-22-28199 22-077.exe	CasPol.exe
PID 4904 wrote to memory of 796	4904	Sorğu HA-22-28199 22-077.exe	CasPol.exe
PID 4904 wrote to memory of 796	4904	Sorğu HA-22-28199 22-077.exe	CasPol.exe
PID 2948 wrote to memory of 2132	2948	Explorer.EXE	msiexec.exe
PID 2948 wrote to memory of 2132	2948	Explorer.EXE	msiexec.exe
PID 2948 wrote to memory of 2132	2948	Explorer.EXE	msiexec.exe
PID 2132 wrote to memory of 3116	2132	msiexec.exe	cmd.exe
PID 2132 wrote to memory of 3116	2132	msiexec.exe	cmd.exe
PID 2132 wrote to memory of 3116	2132	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\Sorğu HA-22-28199 22-077.exe
"C:\Users\Admin\AppData\Local\Temp\Sorğu HA-22-28199 22-077.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:3116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/796-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-135-0x000000000041F140-mapping.dmp

Download
memory/796-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-139-0x00000000012D0000-0x000000000161A000-memory.dmp

Filesize
3.3MB

Download
memory/796-140-0x0000000000E70000-0x0000000000E84000-memory.dmp

Filesize
80KB

Download
memory/2132-144-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/2132-149-0x00000000001A0000-0x00000000001CF000-memory.dmp

Filesize
188KB

Download
memory/2132-147-0x0000000000DB0000-0x0000000000E43000-memory.dmp

Filesize
588KB

Download
memory/2132-146-0x00000000024D0000-0x000000000281A000-memory.dmp

Filesize
3.3MB

Download
memory/2132-142-0x0000000000000000-mapping.dmp

Download
memory/2132-145-0x00000000001A0000-0x00000000001CF000-memory.dmp

Filesize
188KB

Download
memory/2948-164-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/2948-159-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-141-0x0000000007CE0000-0x0000000007E48000-memory.dmp

Filesize
1.4MB

Download
memory/2948-173-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/2948-148-0x00000000029E0000-0x0000000002A95000-memory.dmp

Filesize
724KB

Download
memory/2948-172-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-150-0x00000000029E0000-0x0000000002A95000-memory.dmp

Filesize
724KB

Download
memory/2948-151-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-152-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-153-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-154-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-155-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-156-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-157-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-158-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-171-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-160-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-161-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-163-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-170-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-165-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-166-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-167-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/2948-168-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2948-169-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/3116-143-0x0000000000000000-mapping.dmp

Download
memory/4904-132-0x0000027D41D90000-0x0000027D41E1E000-memory.dmp

Filesize
568KB

Download
memory/4904-133-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-136-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads