formbook | 630ea8ccea4f9f5667c356a897a037538288d57b4ca6464b3d90d17f3ba182d1

General

Target

SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe
Size

551KB
MD5

599f3da4fcceeff012fb72ed22ba20f1
SHA1

f93448764fccbf21b2f94711bf09310809298e43
SHA256

630ea8ccea4f9f5667c356a897a037538288d57b4ca6464b3d90d17f3ba182d1
SHA512

5384fd2d4d6f735c0e92d6ab64312dcf5d40497995fbdaf76433b9f149f998802bf751b12bbbcdde918ad9e7e87eff40c6d76fa0b443c96e1b710769b2df75e9
SSDEEP

12288:JuN7XJPGa/5LplH5PN3r86eXEONa9iJ8jr4H:Juj+4zZO6Qnyn

Score

10^/10

formbook urde persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

urde

Decoy

belleriacortland.com

gxzyykx.com

blocksholding.net

zhangjiyuan.com

tyfinck.com

xn--v9s.club

xn--72c9at8ec1l.com

dorismart.online

nocodeuni.com

hmmprocesos.website

quartile.agency

iansdogname.com

karengillen.com

the-bitindexprime.info

nthanisolutions.com

nakamu.online

sahityanepal.com

sinwinindustry.com

shotblastwearingparts.com

nstsuccess.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2976-135-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2976-136-0x000000000041F140-mapping.dmp	formbook
behavioral2/memory/2976-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5104-146-0x0000000000770000-0x000000000079F000-memory.dmp	formbook
behavioral2/memory/5104-148-0x0000000000770000-0x000000000079F000-memory.dmp	formbook

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5AE0F28A17B54A15A874BD8A56E8F24D = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe\""	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exeCasPol.execscript.exe

description	pid	process	target process
PID 2988 set thread context of 2976	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe	CasPol.exe
PID 2976 set thread context of 2476	2976	CasPol.exe	Explorer.EXE
PID 5104 set thread context of 2476	5104	cscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exeCasPol.execscript.exe

pid	process
2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe
2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe
2976	CasPol.exe
2976	CasPol.exe
2976	CasPol.exe
2976	CasPol.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe
5104	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2476 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe

pid process

2988 SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

CasPol.execscript.exe

pid process

2976 CasPol.exe
2976 CasPol.exe
2976 CasPol.exe
5104 cscript.exe
5104 cscript.exe

pid	process
2476	Explorer.EXE

pid	process
2976	CasPol.exe
2976	CasPol.exe
2976	CasPol.exe
5104	cscript.exe
5104	cscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exeCasPol.execscript.exe

description	pid	process
Token: SeDebugPrivilege	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe
Token: SeDebugPrivilege	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe
Token: SeLoadDriverPrivilege	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe
Token: SeDebugPrivilege	2976	CasPol.exe
Token: SeDebugPrivilege	5104	cscript.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 2988 wrote to memory of 2800	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe	CasPol.exe
PID 2988 wrote to memory of 2800	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe	CasPol.exe
PID 2988 wrote to memory of 2800	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe	CasPol.exe
PID 2988 wrote to memory of 2976	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe	CasPol.exe
PID 2988 wrote to memory of 2976	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe	CasPol.exe
PID 2988 wrote to memory of 2976	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe	CasPol.exe
PID 2988 wrote to memory of 2976	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe	CasPol.exe
PID 2988 wrote to memory of 2976	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe	CasPol.exe
PID 2988 wrote to memory of 2976	2988	SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe	CasPol.exe
PID 2476 wrote to memory of 5104	2476	Explorer.EXE	cscript.exe
PID 2476 wrote to memory of 5104	2476	Explorer.EXE	cscript.exe
PID 2476 wrote to memory of 5104	2476	Explorer.EXE	cscript.exe
PID 5104 wrote to memory of 1876	5104	cscript.exe	cmd.exe
PID 5104 wrote to memory of 1876	5104	cscript.exe	cmd.exe
PID 5104 wrote to memory of 1876	5104	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.5874.22719.exe"
2⤵
- Sets service image path in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1876-144-0x0000000000000000-mapping.dmp

Download
memory/2476-141-0x0000000002620000-0x000000000273E000-memory.dmp

Filesize
1.1MB

Download
memory/2476-151-0x0000000007DA0000-0x0000000007EDD000-memory.dmp

Filesize
1.2MB

Download
memory/2476-150-0x0000000007DA0000-0x0000000007EDD000-memory.dmp

Filesize
1.2MB

Download
memory/2976-136-0x000000000041F140-mapping.dmp

Download
memory/2976-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-139-0x0000000000EB0000-0x00000000011FA000-memory.dmp

Filesize
3.3MB

Download
memory/2976-140-0x0000000001220000-0x0000000001234000-memory.dmp

Filesize
80KB

Download
memory/2976-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-132-0x000002573E930000-0x000002573E9BE000-memory.dmp

Filesize
568KB

Download
memory/2988-137-0x00007FFBA6B70000-0x00007FFBA7631000-memory.dmp

Filesize
10.8MB

Download
memory/2988-134-0x00007FFBA6B70000-0x00007FFBA7631000-memory.dmp

Filesize
10.8MB

Download
memory/2988-133-0x00007FFBA6B70000-0x00007FFBA7631000-memory.dmp

Filesize
10.8MB

Download
memory/5104-142-0x0000000000000000-mapping.dmp

Download
memory/5104-145-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/5104-146-0x0000000000770000-0x000000000079F000-memory.dmp

Filesize
188KB

Download
memory/5104-147-0x0000000002BB0000-0x0000000002EFA000-memory.dmp

Filesize
3.3MB

Download
memory/5104-148-0x0000000000770000-0x000000000079F000-memory.dmp

Filesize
188KB

Download
memory/5104-149-0x0000000002940000-0x00000000029D3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads