SecuriteInfo.com.Variant.Zusy.394472.15672.20727

General
Target

SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe

Filesize

193KB

Completed

22-07-2021 08:50

Score
10 /10
MD5

89cfb542cda6a428cc5c02feaf3c55f8

SHA1

9a0606c633ffe5ae4b6dcb7dcfba57b7e22cb05d

SHA256

b663fea76aadbf574e5bb9f704ad689ec10f0d720b0b9641e70b27494fe4cc17

Malware Config

Extracted

Family formbook
Version 4.1
C2

http://www.yjhlgg.com/grve/

Decoy

jrvinganimalexterminator.com

smallsyalls.com

po1c3.com

mencg.com

aussieenjoyment.today

espace22.com

aanmelding-desk.info

gallopshoes.com

nftsexy.com

ricosdulcesmexicanos.com

riseswift.com

thechicthirty.com

matdcg.com

alternet.today

creativehuesdesigns.com

rjkcrafts.com

lowdosemortgage.com

adoptahamster.com

wellness-sense.com

jacardcapital.com

pastiindonesia.com

lindsaynathan2021.com

brisbanemagicians.com

tvglanz.com

388384.com

mitgrim.com

endonelatrading.com

political.singles

ganjegirls.com

democratscancelled.com

ytzhubao.com

roiskylands.com

zamlgroup.com

winstonsalemathleticclub.com

62qtz2.com

caddyys.com

ecorarte.com

coonier.com

cbgmanhattan-hub.com

givanon.com

tioniis11.com

variceselite.com

tasaciona.com

hiphopeconomicdevelopment.com

citrixfile.com

piebuilder.com

drmetalpublishing.com

themesthatyoulike.com

vinhomes-phamhung.info

ardecentro.com

Signatures 6

Filter: none

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/2004-63-0x0000000000400000-0x000000000042E000-memory.dmpformbook
  • Suspicious use of SetThreadContext
    SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 308 set thread context of 2004308SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exeSecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe
  • Suspicious behavior: EnumeratesProcesses
    SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe

    Reported IOCs

    pidprocess
    2004SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe
  • Suspicious behavior: MapViewOfSection
    SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe

    Reported IOCs

    pidprocess
    308SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe
  • Suspicious use of WriteProcessMemory
    SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 308 wrote to memory of 2004308SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exeSecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe
    PID 308 wrote to memory of 2004308SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exeSecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe
    PID 308 wrote to memory of 2004308SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exeSecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe
    PID 308 wrote to memory of 2004308SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exeSecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe
    PID 308 wrote to memory of 2004308SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exeSecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: MapViewOfSection
    Suspicious use of WriteProcessMemory
    PID:308
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.394472.15672.20727.exe"
      Suspicious behavior: EnumeratesProcesses
      PID:2004
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/308-60-0x0000000075A31000-0x0000000075A33000-memory.dmp

                          • memory/308-62-0x0000000000280000-0x0000000000282000-memory.dmp

                          • memory/2004-61-0x000000000041EAF0-mapping.dmp

                          • memory/2004-63-0x0000000000400000-0x000000000042E000-memory.dmp

                          • memory/2004-64-0x0000000000990000-0x0000000000C93000-memory.dmp