formbook | 71562f1899bf12998b47d4f245d62c07e152a91ee9191dfaff9a963e3fcd3f7f

General

Target

SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe
Size

552KB
MD5

46333b6ff15c92a0338fb82a3ffda095
SHA1

e0c71790f415c5894a89c72f047fc2080e920ee4
SHA256

71562f1899bf12998b47d4f245d62c07e152a91ee9191dfaff9a963e3fcd3f7f
SHA512

92644ed70c4f28a72399c98ec8c5e72ec4c073e31069a6887dc2a265f6e58c70d7c5f6919a8c1e99f922a939c899e72a4711bc87e914ad053233012e623875a0
SSDEEP

12288:GbXKERz+4rqtEmCqfupYcjyf5ITpqRiixvx4bsFslx+haSw8:GtC4utExqf6YX5ITpRixvx4oFslx+hrw

Score

10^/10

formbook urde rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

urde

Decoy

belleriacortland.com

gxzyykx.com

blocksholding.net

zhangjiyuan.com

tyfinck.com

xn--v9s.club

xn--72c9at8ec1l.com

dorismart.online

nocodeuni.com

hmmprocesos.website

quartile.agency

iansdogname.com

karengillen.com

the-bitindexprime.info

nthanisolutions.com

nakamu.online

sahityanepal.com

sinwinindustry.com

shotblastwearingparts.com

nstsuccess.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4248-134-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4248-135-0x000000000041F140-mapping.dmp	formbook
behavioral2/memory/4248-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1748-145-0x0000000001100000-0x000000000112F000-memory.dmp	formbook
behavioral2/memory/1748-149-0x0000000001100000-0x000000000112F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exeCasPol.execmd.exe

description	pid	process	target process
PID 2232 set thread context of 4248	2232	SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe	CasPol.exe
PID 4248 set thread context of 2940	4248	CasPol.exe	Explorer.EXE
PID 1748 set thread context of 2940	1748	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

CasPol.execmd.exe

pid	process
4248	CasPol.exe
4248	CasPol.exe
4248	CasPol.exe
4248	CasPol.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe
1748	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2940 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

CasPol.execmd.exe

pid process

4248 CasPol.exe
4248 CasPol.exe
4248 CasPol.exe
1748 cmd.exe
1748 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CasPol.execmd.exe

description pid process

Token: SeDebugPrivilege 4248 CasPol.exe
Token: SeDebugPrivilege 1748 cmd.exe

pid	process
2940	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4248	CasPol.exe
Token: SeDebugPrivilege	1748	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2232 wrote to memory of 4248	2232	SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe	CasPol.exe
PID 2232 wrote to memory of 4248	2232	SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe	CasPol.exe
PID 2232 wrote to memory of 4248	2232	SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe	CasPol.exe
PID 2232 wrote to memory of 4248	2232	SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe	CasPol.exe
PID 2232 wrote to memory of 4248	2232	SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe	CasPol.exe
PID 2232 wrote to memory of 4248	2232	SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe	CasPol.exe
PID 2940 wrote to memory of 1748	2940	Explorer.EXE	cmd.exe
PID 2940 wrote to memory of 1748	2940	Explorer.EXE	cmd.exe
PID 2940 wrote to memory of 1748	2940	Explorer.EXE	cmd.exe
PID 1748 wrote to memory of 5060	1748	cmd.exe	cmd.exe
PID 1748 wrote to memory of 5060	1748	cmd.exe	cmd.exe
PID 1748 wrote to memory of 5060	1748	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:5060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1748-144-0x0000000000D80000-0x0000000000DDA000-memory.dmp

Filesize
360KB

Download
memory/1748-141-0x0000000000000000-mapping.dmp

Download
memory/1748-149-0x0000000001100000-0x000000000112F000-memory.dmp

Filesize
188KB

Download
memory/1748-147-0x00000000017D0000-0x0000000001863000-memory.dmp

Filesize
588KB

Download
memory/1748-146-0x0000000001920000-0x0000000001C6A000-memory.dmp

Filesize
3.3MB

Download
memory/1748-145-0x0000000001100000-0x000000000112F000-memory.dmp

Filesize
188KB

Download
memory/2232-132-0x00000251B3510000-0x00000251B359E000-memory.dmp

Filesize
568KB

Download
memory/2232-136-0x00007FFBFEF90000-0x00007FFBFFA51000-memory.dmp

Filesize
10.8MB

Download
memory/2232-133-0x00007FFBFEF90000-0x00007FFBFFA51000-memory.dmp

Filesize
10.8MB

Download
memory/2940-148-0x0000000008AE0000-0x0000000008BE9000-memory.dmp

Filesize
1.0MB

Download
memory/2940-140-0x0000000008550000-0x0000000008658000-memory.dmp

Filesize
1.0MB

Download
memory/2940-150-0x0000000008AE0000-0x0000000008BE9000-memory.dmp

Filesize
1.0MB

Download
memory/4248-137-0x0000000001060000-0x00000000013AA000-memory.dmp

Filesize
3.3MB

Download
memory/4248-135-0x000000000041F140-mapping.dmp

Download
memory/4248-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4248-139-0x0000000000F80000-0x0000000000F94000-memory.dmp

Filesize
80KB

Download
memory/4248-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads