formbook | bd4e6d059703f5a320f62a2db4c3b89e6c1878f0be17c06c494f0c1328fd1c50

General

Target

HA-22-2819922-077.exe
Size

551KB
MD5

f3fa21b3a4822c327047bf6937862210
SHA1

39d943eb69e2823d90544c259faff8097e0337ce
SHA256

bd4e6d059703f5a320f62a2db4c3b89e6c1878f0be17c06c494f0c1328fd1c50
SHA512

e66cf4dc486aa340f593d3354caa5636550fd7cfb0ba16e4a41db4411b3546b787b43e673a8356a75859805e2a73a0e7f6b4256eaa61f6049aef5db3075293d5
SSDEEP

12288:JuN7XJPGa/5LplH5PN3r86eXEONa9iJ8jr4H:Juj+4zZO6Qnyn

Score

10^/10

formbook urde persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

urde

Decoy

belleriacortland.com

gxzyykx.com

blocksholding.net

zhangjiyuan.com

tyfinck.com

xn--v9s.club

xn--72c9at8ec1l.com

dorismart.online

nocodeuni.com

hmmprocesos.website

quartile.agency

iansdogname.com

karengillen.com

the-bitindexprime.info

nthanisolutions.com

nakamu.online

sahityanepal.com

sinwinindustry.com

shotblastwearingparts.com

nstsuccess.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/936-56-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/936-57-0x000000000041F140-mapping.dmp	formbook
behavioral1/memory/936-59-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1088-66-0x0000000000070000-0x000000000009F000-memory.dmp	formbook
behavioral1/memory/1088-71-0x0000000000070000-0x000000000009F000-memory.dmp	formbook

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HA-22-2819922-077.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	HA-22-2819922-077.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HA-22-2819922-077.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\5AE0F28A17B54A15A874BD8A56E8F24D = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HA-22-2819922-077.exe\""	HA-22-2819922-077.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

HA-22-2819922-077.exeCasPol.execscript.exe

description	pid	process	target process
PID 1148 set thread context of 936	1148	HA-22-2819922-077.exe	CasPol.exe
PID 936 set thread context of 1268	936	CasPol.exe	Explorer.EXE
PID 1088 set thread context of 1268	1088	cscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

HA-22-2819922-077.exeCasPol.execscript.exe

pid	process
1148	HA-22-2819922-077.exe
936	CasPol.exe
936	CasPol.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe
1088	cscript.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

HA-22-2819922-077.exe

pid process

1148 HA-22-2819922-077.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

CasPol.execscript.exe

pid process

936 CasPol.exe
936 CasPol.exe
936 CasPol.exe
1088 cscript.exe
1088 cscript.exe

pid	process
936	CasPol.exe
936	CasPol.exe
936	CasPol.exe
1088	cscript.exe
1088	cscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

HA-22-2819922-077.exeCasPol.execscript.exe

description	pid	process
Token: SeDebugPrivilege	1148	HA-22-2819922-077.exe
Token: SeDebugPrivilege	1148	HA-22-2819922-077.exe
Token: SeLoadDriverPrivilege	1148	HA-22-2819922-077.exe
Token: SeDebugPrivilege	936	CasPol.exe
Token: SeDebugPrivilege	1088	cscript.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

HA-22-2819922-077.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 1148 wrote to memory of 2004	1148	HA-22-2819922-077.exe	CasPol.exe
PID 1148 wrote to memory of 2004	1148	HA-22-2819922-077.exe	CasPol.exe
PID 1148 wrote to memory of 2004	1148	HA-22-2819922-077.exe	CasPol.exe
PID 1148 wrote to memory of 2004	1148	HA-22-2819922-077.exe	CasPol.exe
PID 1148 wrote to memory of 936	1148	HA-22-2819922-077.exe	CasPol.exe
PID 1148 wrote to memory of 936	1148	HA-22-2819922-077.exe	CasPol.exe
PID 1148 wrote to memory of 936	1148	HA-22-2819922-077.exe	CasPol.exe
PID 1148 wrote to memory of 936	1148	HA-22-2819922-077.exe	CasPol.exe
PID 1148 wrote to memory of 936	1148	HA-22-2819922-077.exe	CasPol.exe
PID 1148 wrote to memory of 936	1148	HA-22-2819922-077.exe	CasPol.exe
PID 1148 wrote to memory of 936	1148	HA-22-2819922-077.exe	CasPol.exe
PID 1268 wrote to memory of 1088	1268	Explorer.EXE	cscript.exe
PID 1268 wrote to memory of 1088	1268	Explorer.EXE	cscript.exe
PID 1268 wrote to memory of 1088	1268	Explorer.EXE	cscript.exe
PID 1268 wrote to memory of 1088	1268	Explorer.EXE	cscript.exe
PID 1088 wrote to memory of 956	1088	cscript.exe	cmd.exe
PID 1088 wrote to memory of 956	1088	cscript.exe	cmd.exe
PID 1088 wrote to memory of 956	1088	cscript.exe	cmd.exe
PID 1088 wrote to memory of 956	1088	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\HA-22-2819922-077.exe
  "C:\Users\Admin\AppData\Local\Temp\HA-22-2819922-077.exe"
  2⤵
  - Sets service image path in registry
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:2004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/936-61-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/936-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/936-57-0x000000000041F140-mapping.dmp

Download
memory/936-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/936-60-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/956-64-0x0000000000000000-mapping.dmp

Download
memory/1088-63-0x0000000000000000-mapping.dmp

Download
memory/1088-65-0x00000000009A0000-0x00000000009C2000-memory.dmp

Filesize
136KB

Download
memory/1088-66-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/1088-67-0x00000000020A0000-0x00000000023A3000-memory.dmp

Filesize
3.0MB

Download
memory/1088-68-0x00000000008F0000-0x0000000000983000-memory.dmp

Filesize
588KB

Download
memory/1088-71-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/1148-54-0x0000000000010000-0x000000000009E000-memory.dmp

Filesize
568KB

Download
memory/1148-55-0x0000000001E50000-0x0000000001EC2000-memory.dmp

Filesize
456KB

Download
memory/1268-62-0x0000000002A00000-0x0000000002AEA000-memory.dmp

Filesize
936KB

Download
memory/1268-69-0x0000000004AB0000-0x0000000004C08000-memory.dmp

Filesize
1.3MB

Download
memory/1268-70-0x0000000002A00000-0x0000000002AEA000-memory.dmp

Filesize
936KB

Download
memory/1268-72-0x0000000004AB0000-0x0000000004C08000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads