Overview

overview

10

Static

static

SecuriteIn...53.exe

windows7-x64

10

SecuriteIn...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2022 20:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe

  • Size

    684KB

  • MD5

    0379ae001c1c573492d6691c94d2a540

  • SHA1

    f92b3c78bb2170074ae40f92743432ef10d55f06

  • SHA256

    7fa778a38b6adbec2ed8ca4e50d2971c4f135c1bf3b7c24a9adb8f86d3ad2ec5

  • SHA512

    d1137357639c3c55460cde25047a4f9706c5ab6501b996cff0ffc30468d4f534da9433218d0a7a4b1c7c2badaf3e44e786443c0b9543b0cc7868f19d28257658

  • SSDEEP

    12288:Zrl405A0lVmc7QFRj+ppGLVXcw1916s5cIGdbT0POkCU4H011Q+T3l+zj:BplVTE/9KC916s5cIMkCUFqC3wzj

Score
10/10
formbook4u5aratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

4u5a

Decoy

Y9HWoINcPu0r7SSSKt4FCmk7

G/E64auYdhRQM4wZW2bcOaY=

bL57APty/StRpW49a+EdxA==

TppryJ0SoslHe8gJFVc=

HXxDShYIEcUJDahdv2nvl5Hlbp4=

EKaq5c6w0nV3WWlEqM4Www==

VM+YjE8XS1OLcH1roYF4zA==

OwK0wxmBGnq2Fg==

B1zy4bulyfY9tj9DK2eIkeYArpTt

Avj5JeA8m9girqfQ4+cZxA==

AOY4dmDFkCdX8HUJMw==

5cQUw3pPMYr07V8=

P7ZsN4/zt63AEw==

FYyVCOpB8Vl//kSkDLPo91Yy

jxwZTBp+5gcsccPxDF+K4bDG2Rpp0A==

iGx9AO58DRhZbXX9

prwVyLkAtlhSU6irmansg8wArpTt

uqa8ZPl+FFObOkdFNg==

tL4OhF22EDaEOkdFNg==

6exH76Z9o7eu/n86vgPE

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownloaderNET.345.21626.32453.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:816
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:2476

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/816-139-0x0000000001890000-0x0000000001BDA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/816-133-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/816-134-0x00000000004012B0-mapping.dmp
      Download
    • memory/816-142-0x0000000001260000-0x0000000001270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/816-141-0x0000000000401000-0x000000000042E000-memory.dmp
      Filesize

      180KB

      Download
    • memory/816-138-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/816-140-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2200-137-0x00007FFE18DE0000-0x00007FFE198A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2200-132-0x000001898ADB0000-0x000001898AE62000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2200-135-0x00007FFE18DE0000-0x00007FFE198A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2724-143-0x00000000028A0000-0x000000000299D000-memory.dmp
      Filesize

      1012KB

      Download
    • memory/2724-150-0x00000000029E0000-0x0000000002AAF000-memory.dmp
      Filesize

      828KB

      Download
    • memory/2724-151-0x00000000029E0000-0x0000000002AAF000-memory.dmp
      Filesize

      828KB

      Download
    • memory/5012-144-0x0000000000000000-mapping.dmp
      Download
    • memory/5012-146-0x0000000000380000-0x00000000003AD000-memory.dmp
      Filesize

      180KB

      Download
    • memory/5012-145-0x0000000000620000-0x0000000000647000-memory.dmp
      Filesize

      156KB

      Download
    • memory/5012-147-0x0000000002770000-0x0000000002ABA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/5012-148-0x0000000000380000-0x00000000003AD000-memory.dmp
      Filesize

      180KB

      Download
    • memory/5012-149-0x00000000025A0000-0x000000000262F000-memory.dmp
      Filesize

      572KB

      Download