formbook | c39d731b9c91c2a4cec5b7fc2c347f3f01fa10c7f2c661ca26d1bb93162c6c10

General

Target

SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
Size

856KB
MD5

833b9bedbd4049765c46eb9b0c96d2f2
SHA1

2e2293d4eacc6843611f89263c264ed94106b9a9
SHA256

c39d731b9c91c2a4cec5b7fc2c347f3f01fa10c7f2c661ca26d1bb93162c6c10
SHA512

d4aff25d3cbe550dc58cbab8cb1ee3aa2b091f5b123a96f8f6f07497e49911ef1e18e2b8009aac40c8583a12a881fc44a139648ff924734429b23643b0960026
SSDEEP

12288:8BnELRUxM4QIv/yqtbxn5nAwnw2IN5xiHLpAJZOS/xYlqpw2K:8BcRD4QIv/yKZeIINurpAmaxKqB

Score

10^/10

formbook 49id rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

49id

Decoy

Lx+qn+IuFHrpYw4aLjqrV0s=

oTFyf7DpzDr0CxnANoHd0ZVn/P8=

trcX/OnzxdkmnRMQYog=

bAVbrILTo2dyzVNRlZs=

iAt82zY2FbeLnZ8ehqD3sK3DSc/7

RthInWSwiITUYAQES3n0

HqXZ8LT4ijH4

4b3T7LD8lizy

5vB1eWJzRz5Ypzm/NYXPcz5O7f0=

cR4+Ihw2Dip6B4MTL5XnkA==

7pPqTAFNLJ5iZ4AlY4LXnYc/2KDXVrE=

OOZBmRMh+XcG5R3WGjmDKfzDSc/7

w9u6j6Eu1IZfM1UZ

zEzLU87y1D/by8xuxcvs5JcY

PsU4iyYvBf8LYQQES3n0

22GzGcX92mw0Hhy89Xng

fzOL5pruzSWaYm79VoD14Vvq1w==

Ltts7l9lO8GnD4kXL5XnkA==

uuw9zZXjqDLEk50zm9Hs5JcY

zk+U6pwAzuk5t3QwM3bxhw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3928 set thread context of 4372	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	102

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
4372	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
4372	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 4800	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	99
PID 3928 wrote to memory of 4800	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	99
PID 3928 wrote to memory of 4800	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	99
PID 3928 wrote to memory of 3948	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	100
PID 3928 wrote to memory of 3948	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	100
PID 3928 wrote to memory of 3948	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	100
PID 3928 wrote to memory of 3540	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	101
PID 3928 wrote to memory of 3540	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	101
PID 3928 wrote to memory of 3540	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	101
PID 3928 wrote to memory of 4372	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	102
PID 3928 wrote to memory of 4372	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	102
PID 3928 wrote to memory of 4372	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	102
PID 3928 wrote to memory of 4372	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	102
PID 3928 wrote to memory of 4372	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	102
PID 3928 wrote to memory of 4372	3928	SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe	102

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe"
  2⤵
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe"
  2⤵
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe"
  2⤵
  PID:3540
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.32508.30060.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3928-133-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download
memory/3928-134-0x0000000005800000-0x0000000005892000-memory.dmp

Filesize
584KB

Download
memory/3928-135-0x00000000031F0000-0x00000000031FA000-memory.dmp

Filesize
40KB

Download
memory/3928-136-0x00000000091F0000-0x000000000928C000-memory.dmp

Filesize
624KB

Download
memory/3928-137-0x0000000009440000-0x00000000094A6000-memory.dmp

Filesize
408KB

Download
memory/3928-132-0x0000000000CD0000-0x0000000000DAC000-memory.dmp

Filesize
880KB

Download
memory/4372-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-145-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4372-146-0x0000000001470000-0x00000000017BA000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing