formbook | 030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498

General

Target

030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe
Size

474KB
MD5

dcb7eaa1fd51e975b67a3ed92509167a
SHA1

528c5a4837a195707581724d408c809433f14a16
SHA256

030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498
SHA512

8b095bc1d1c22db78e1ee1011bd7d6564c3657c4bade729baf803b6df857f88be1fceac74b55b72786df635bbee7ad3ff8d17bbc28da553c1bb08ae275df543c
SSDEEP

6144:WG0tEl7ERlzVxn5zLTjgpjdGXq7IOVf4c0Lu8nuyqvM30vakSNMmoYqTVXwIuODf:BCFzbF3g1kXqZf4czAVMmlq5pTlEv1G

Score

10^/10

formbook xloader qsqm loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

qsqm

Decoy

gYI8BO7T7BQOBw==

5kKpX8NHT4cITCAOEkMYvi5HiMZ5

oq5lCVwFY9KNJipM

OiTOjWhDMXBf8H9o79k=

rSDHx5jqNn3Sz/LND/0G

ob6FSUE4NYUi5Iqg1YGfMg==

fI5oMbAC5EAeerSKKRM2PjF7TYJh

lmWieqE8QHg=

yLxwFWm+rbCJXqE=

MyY9R8VCSaAtEJY2MdHAXKY=

WYA53Ezjh808

EPu6bfMPNJUh

upyUkeqQ6B/FJyq2PCiwnZf/

RvN3e2hDLJQmo9qtZTVoRmPi

hZhWEObjh808

K1gowrFsO5p0UchTUEVoRmPi

7hXPaZ6i+F7o2L8OCCyhNA==

bIp+E/xrSG9QHA==

+EPrJAdvSG9QHA==

METFhoRGH1sBBWhAbA==

Extracted

Family

xloader

Version

3.ƅ

Campaign

qsqm

Decoy

gYI8BO7T7BQOBw==

5kKpX8NHT4cITCAOEkMYvi5HiMZ5

oq5lCVwFY9KNJipM

OiTOjWhDMXBf8H9o79k=

rSDHx5jqNn3Sz/LND/0G

ob6FSUE4NYUi5Iqg1YGfMg==

fI5oMbAC5EAeerSKKRM2PjF7TYJh

lmWieqE8QHg=

yLxwFWm+rbCJXqE=

MyY9R8VCSaAtEJY2MdHAXKY=

WYA53Ezjh808

EPu6bfMPNJUh

upyUkeqQ6B/FJyq2PCiwnZf/

RvN3e2hDLJQmo9qtZTVoRmPi

hZhWEObjh808

K1gowrFsO5p0UchTUEVoRmPi

7hXPaZ6i+F7o2L8OCCyhNA==

bIp+E/xrSG9QHA==

+EPrJAdvSG9QHA==

METFhoRGH1sBBWhAbA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

8 1716 wscript.exe
Loads dropped DLL 1 IoCs

Processes:

wscript.exe

pid process

1716 wscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
8	1716	wscript.exe

pid	process
1716	wscript.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exeCasPol.exewscript.exe

description	pid	process	target process
PID 1752 set thread context of 1724	1752	030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe	CasPol.exe
PID 1724 set thread context of 1248	1724	CasPol.exe	Explorer.EXE
PID 1724 set thread context of 1248	1724	CasPol.exe	Explorer.EXE
PID 1716 set thread context of 1248	1716	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wscript.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

CasPol.exewscript.exe

pid	process
1724	CasPol.exe
1724	CasPol.exe
1724	CasPol.exe
1724	CasPol.exe
1724	CasPol.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe
1716	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

CasPol.exewscript.exe

pid process

1724 CasPol.exe
1724 CasPol.exe
1724 CasPol.exe
1724 CasPol.exe
1716 wscript.exe
1716 wscript.exe
1716 wscript.exe
1716 wscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CasPol.exewscript.exe

description pid process

Token: SeDebugPrivilege 1724 CasPol.exe
Token: SeDebugPrivilege 1716 wscript.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE

pid	process
1248	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1724	CasPol.exe
Token: SeDebugPrivilege	1716	wscript.exe

pid	process
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 1752 wrote to memory of 1724	1752	030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe	CasPol.exe
PID 1752 wrote to memory of 1724	1752	030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe	CasPol.exe
PID 1752 wrote to memory of 1724	1752	030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe	CasPol.exe
PID 1752 wrote to memory of 1724	1752	030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe	CasPol.exe
PID 1752 wrote to memory of 1724	1752	030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe	CasPol.exe
PID 1752 wrote to memory of 1724	1752	030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe	CasPol.exe
PID 1752 wrote to memory of 1724	1752	030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe	CasPol.exe
PID 1248 wrote to memory of 1716	1248	Explorer.EXE	wscript.exe
PID 1248 wrote to memory of 1716	1248	Explorer.EXE	wscript.exe
PID 1248 wrote to memory of 1716	1248	Explorer.EXE	wscript.exe
PID 1248 wrote to memory of 1716	1248	Explorer.EXE	wscript.exe
PID 1716 wrote to memory of 1604	1716	wscript.exe	Firefox.exe
PID 1716 wrote to memory of 1604	1716	wscript.exe	Firefox.exe
PID 1716 wrote to memory of 1604	1716	wscript.exe	Firefox.exe
PID 1716 wrote to memory of 1604	1716	wscript.exe	Firefox.exe
PID 1716 wrote to memory of 1604	1716	wscript.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe
  "C:\Users\Admin\AppData\Local\Temp\030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mptpgbmx.zip

Filesize
433KB

MD5
ecc8ac417181d4885ef8c208d1f073dc

SHA1
33154e45485bc0ae3bb0203ffcb9baaaed4038d3

SHA256
d01c69d09282f9050f6b113c45884fe9b9abf3bdf5bd93b45927d9b6bfb233fe

SHA512
f7601763447bed9b7b45fef2bd584da669636d2657c6066516c949e713ce1caf0641a1889345e92e584b84f438fa19029d13c6f6f1583d35fcc1eb3f998631da

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
828KB

MD5
d5ea9b5814553bd2f9bbb8bf0ea94ed6

SHA1
29629836c088dcd968efb321832edcbcfaac5b51

SHA256
5ea67d6b7f67301ca214af511740f26b9e6cc9e16b2c0ec7bba071d05b9bde78

SHA512
6867452995c8354622fe22ce4fb4868d2b9cb28bb31aa60b42f06e494b952f66c427aa66c7af09240954bf55ebcde62d4c7feb9d99e742ea3bc5beb3756a7a1e

Download Submit
memory/1248-66-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download
memory/1248-81-0x0000000006940000-0x0000000006A1F000-memory.dmp

Filesize
892KB

Download
memory/1248-79-0x0000000006940000-0x0000000006A1F000-memory.dmp

Filesize
892KB

Download
memory/1248-60-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download
memory/1248-78-0x0000000006940000-0x0000000006A1F000-memory.dmp

Filesize
892KB

Download
memory/1248-75-0x0000000003C10000-0x0000000003E10000-memory.dmp

Filesize
2.0MB

Download
memory/1248-64-0x00000000047A0000-0x0000000004897000-memory.dmp

Filesize
988KB

Download
memory/1248-68-0x0000000006FB0000-0x0000000007143000-memory.dmp

Filesize
1.6MB

Download
memory/1716-73-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1716-74-0x0000000002140000-0x0000000002443000-memory.dmp

Filesize
3.0MB

Download
memory/1716-125-0x0000000061E00000-0x0000000061EBC000-memory.dmp

Filesize
752KB

Download
memory/1716-77-0x0000000000970000-0x00000000009FF000-memory.dmp

Filesize
572KB

Download
memory/1716-71-0x0000000000B80000-0x0000000000BA6000-memory.dmp

Filesize
152KB

Download
memory/1716-69-0x0000000000B80000-0x0000000000BA6000-memory.dmp

Filesize
152KB

Download
memory/1716-72-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1724-63-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/1724-67-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1724-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-61-0x0000000000AC0000-0x0000000000DC3000-memory.dmp

Filesize
3.0MB

Download
memory/1724-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-54-0x0000000000920000-0x000000000099A000-memory.dmp

Filesize
488KB

Download
memory/1752-56-0x0000000002350000-0x00000000023C4000-memory.dmp

Filesize
464KB

Download
memory/1752-55-0x000000001AF40000-0x000000001AFC0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads