formbook | 6e6dab1a248e5205aca778a9e1e2135f7f888cbd5d1edf4debe0efb6cda89fa7

General

Target

SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe
Size

553KB
MD5

0a980f3bf229381c16b1a756fbf5f5c7
SHA1

94df4edd4f776b4fe2f32b198373b13641dcbec0
SHA256

6e6dab1a248e5205aca778a9e1e2135f7f888cbd5d1edf4debe0efb6cda89fa7
SHA512

2cb0d46940e40ac9451b252ec205786689e74c3dd549fd48883989ac9e1f8b292d8695c624ef5d86c848e0858c446f6fe86a47cffd9aee001fcd945855687666
SSDEEP

12288:JxKCYox8CiJoyRo3a5BUwnYZ/eZD2JZoxEkigK:PKpoK5Ro3wBXnM/eZcZoe

Score

10^/10

formbook urde rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

urde

Decoy

belleriacortland.com

gxzyykx.com

blocksholding.net

zhangjiyuan.com

tyfinck.com

xn--v9s.club

xn--72c9at8ec1l.com

dorismart.online

nocodeuni.com

hmmprocesos.website

quartile.agency

iansdogname.com

karengillen.com

the-bitindexprime.info

nthanisolutions.com

nakamu.online

sahityanepal.com

sinwinindustry.com

shotblastwearingparts.com

nstsuccess.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/856-57-0x000000000041F140-mapping.dmp	formbook
behavioral1/memory/856-56-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/856-59-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1708-65-0x00000000001C0000-0x00000000001EF000-memory.dmp	formbook
behavioral1/memory/1708-70-0x00000000001C0000-0x00000000001EF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exeCasPol.exenetsh.exe

description	pid	process	target process
PID 912 set thread context of 856	912	SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe	CasPol.exe
PID 856 set thread context of 1216	856	CasPol.exe	Explorer.EXE
PID 1708 set thread context of 1216	1708	netsh.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

CasPol.exenetsh.exe

pid	process
856	CasPol.exe
856	CasPol.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe
1708	netsh.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

CasPol.exenetsh.exe

pid process

856 CasPol.exe
856 CasPol.exe
856 CasPol.exe
1708 netsh.exe
1708 netsh.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exeCasPol.exenetsh.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	912	SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe
Token: SeDebugPrivilege	856	CasPol.exe
Token: SeDebugPrivilege	1708	netsh.exe
Token: SeShutdownPrivilege	1216	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 912 wrote to memory of 856	912	SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe	CasPol.exe
PID 912 wrote to memory of 856	912	SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe	CasPol.exe
PID 912 wrote to memory of 856	912	SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe	CasPol.exe
PID 912 wrote to memory of 856	912	SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe	CasPol.exe
PID 912 wrote to memory of 856	912	SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe	CasPol.exe
PID 912 wrote to memory of 856	912	SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe	CasPol.exe
PID 912 wrote to memory of 856	912	SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe	CasPol.exe
PID 1216 wrote to memory of 1708	1216	Explorer.EXE	netsh.exe
PID 1216 wrote to memory of 1708	1216	Explorer.EXE	netsh.exe
PID 1216 wrote to memory of 1708	1216	Explorer.EXE	netsh.exe
PID 1216 wrote to memory of 1708	1216	Explorer.EXE	netsh.exe
PID 1708 wrote to memory of 1248	1708	netsh.exe	cmd.exe
PID 1708 wrote to memory of 1248	1708	netsh.exe	cmd.exe
PID 1708 wrote to memory of 1248	1708	netsh.exe	cmd.exe
PID 1708 wrote to memory of 1248	1708	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:1248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-57-0x000000000041F140-mapping.dmp

Download
memory/856-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-60-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/856-61-0x0000000000310000-0x0000000000324000-memory.dmp

Filesize
80KB

Download
memory/912-55-0x00000000004F0000-0x0000000000562000-memory.dmp

Filesize
456KB

Download
memory/912-54-0x0000000001000000-0x000000000108E000-memory.dmp

Filesize
568KB

Download
memory/1216-62-0x0000000004260000-0x0000000004314000-memory.dmp

Filesize
720KB

Download
memory/1216-71-0x0000000004C60000-0x0000000004DDF000-memory.dmp

Filesize
1.5MB

Download
memory/1216-69-0x0000000004C60000-0x0000000004DDF000-memory.dmp

Filesize
1.5MB

Download
memory/1248-66-0x0000000000000000-mapping.dmp

Download
memory/1708-63-0x0000000000000000-mapping.dmp

Download
memory/1708-67-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download
memory/1708-68-0x0000000000900000-0x0000000000993000-memory.dmp

Filesize
588KB

Download
memory/1708-64-0x0000000001630000-0x000000000164B000-memory.dmp

Filesize
108KB

Download
memory/1708-70-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/1708-65-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads