formbook | b6712885245cad12ca99d6746183646f3634e65e253165f068e936a8ac60905c

General

Target

SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe
Size

980KB
MD5

6057fd884c1361af640d0a9c96179319
SHA1

a824f4c43c02b884aa1185a5ebbb6e4d8465aa96
SHA256

b6712885245cad12ca99d6746183646f3634e65e253165f068e936a8ac60905c
SHA512

ce3d0e3a4f8af625c1f315368a7c3180e49f9befdcf25353fe34df81764f2af974195bc22fe2a141283452d2d0b0ff66fcda12d866cda7cc7d1f82b9b45aa51a
SSDEEP

24576:7xefR5++9JIVvjANCfPizG8+gHW3C8v7j+bkw:76H9iNj7nizGdg23Hft

Score

10^/10

formbook adb9 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

adb9

Decoy

DJGECa7+LFJoV6LsTejo

UWLNOz175iJP

xGBGiZA+ZCDKf3qnAA==

y3NkiKS76ZCeJj2tlDg=

uWlFfxuWr7t4FYSyjmnpvYw=

xeVUZ/JXq2MIoPg/nEVXACuBMLZ1d5Zz

tr0vYfpgyI0u2VI=

K1zKLkLpBq1mMc4VjUcBmA==

96WKDpiUzdXqlgg2kMNn91iUSqIV

be/jPMb2L9n5puWNkTI=

qDUNmTtyveqRsOcP0D4=

XnbbSVn9MzvYRGhR8ng8HoC811c=

v7kamZ0gUotxcISD

a2XNHUY6YR1SNmdhWklNVijI6UU=

hiockjZloTLVRm1uhmnpvYw=

a3rSQTEjmjCHf3qnAA==

XmfZNULaARoyAZNIkP7x

bxX6hxARiPGybp+d

ra8TOuyl3fa1PaLqt1AE3T7L

s5d0qjxglybJf3qnAA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3700 set thread context of 1232	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	83
PID 1232 set thread context of 3548	1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	85

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe
3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe
1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe
1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe
3548	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe
3548	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe
Token: SeDebugPrivilege	1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 1236	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	82
PID 3700 wrote to memory of 1236	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	82
PID 3700 wrote to memory of 1236	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	82
PID 3700 wrote to memory of 1232	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	83
PID 3700 wrote to memory of 1232	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	83
PID 3700 wrote to memory of 1232	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	83
PID 3700 wrote to memory of 1232	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	83
PID 3700 wrote to memory of 1232	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	83
PID 3700 wrote to memory of 1232	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	83
PID 3700 wrote to memory of 1232	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	83
PID 3700 wrote to memory of 1232	3700	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	83
PID 1232 wrote to memory of 2340	1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	84
PID 1232 wrote to memory of 2340	1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	84
PID 1232 wrote to memory of 2340	1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	84
PID 1232 wrote to memory of 3548	1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	85
PID 1232 wrote to memory of 3548	1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	85
PID 1232 wrote to memory of 3548	1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	85
PID 1232 wrote to memory of 3548	1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	85
PID 1232 wrote to memory of 3548	1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	85
PID 1232 wrote to memory of 3548	1232	SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe	85

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe"
  2⤵
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe"
    3⤵
    PID:2340
- - C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.PackedNET.1761.1186.21798.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/1232-139-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3548-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3548-147-0x00000000018F0000-0x0000000001C3A000-memory.dmp

Filesize
3.3MB

Download
memory/3700-136-0x0000000009420000-0x00000000094BC000-memory.dmp

Filesize
624KB

Download
memory/3700-135-0x0000000005A00000-0x0000000005A0A000-memory.dmp

Filesize
40KB

Download
memory/3700-134-0x0000000005A20000-0x0000000005AB2000-memory.dmp

Filesize
584KB

Download
memory/3700-133-0x0000000005EF0000-0x0000000006494000-memory.dmp

Filesize
5.6MB

Download
memory/3700-132-0x0000000000F60000-0x000000000105C000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing