Overview

overview

10

Static

static

1

Lorex.Adlu...er.msi

windows7-x64

8

Lorex.Adlu...er.msi

windows10-1703-x64

8

Lorex.Adlu...er.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Lorex.AdluminInstaller.msi

  • Size

    6.5MB

  • Sample

    230510-wzv4yahg24

  • MD5

    ba9f849e3c6e57316548367f0f6a444b

  • SHA1

    34b80863cddfd512be800f366f282eb58fdfc640

  • SHA256

    dc2c8c8369c3dee48feb6b43b5467f22e6a0c939257207828104ed8d94b154d2

  • SHA512

    93c324b2849e9642de25370d3e73f246384f00c2ef49c2d624f495447b856e4a74911066779650a35249bd8518cf4b4944c168982c3613f29f6a9405b74aa21d

  • SSDEEP

    98304:ZiWF9TZpfEK0lk5xmY7aRGm7XCiiQO95anWA25u2tEYjTMy5rp5WpiSvv:r91pSlkqFGICii15HrgYjTMIrfWESvv

Score
10/10
formbooktofseem82discoveryevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Extracted

Family

formbook

Version

4.1

Campaign

m82

Decoy

jamesdevereux.com

artificialturfminneapolis.com

hongmeiyan.com

lojaderoupasbr.com

yit.africa

austinrelocationexpert.com

saiva.page

exitsategy.com

chochonux.com

klosterbraeu-unterliezheim.com

byseymanur.com

sblwarwickshire.co.uk

brazimaid.com

ciogame.com

bronzesailing.com

dwkapl.xyz

022dyd.com

compassandpathwriting.com

alphabet1x.com

selfcleaninghairbrush.co.uk

Targets

    • Target

      Lorex.AdluminInstaller.msi

    • Size

      6.5MB

    • MD5

      ba9f849e3c6e57316548367f0f6a444b

    • SHA1

      34b80863cddfd512be800f366f282eb58fdfc640

    • SHA256

      dc2c8c8369c3dee48feb6b43b5467f22e6a0c939257207828104ed8d94b154d2

    • SHA512

      93c324b2849e9642de25370d3e73f246384f00c2ef49c2d624f495447b856e4a74911066779650a35249bd8518cf4b4944c168982c3613f29f6a9405b74aa21d

    • SSDEEP

      98304:ZiWF9TZpfEK0lk5xmY7aRGm7XCiiQO95anWA25u2tEYjTMy5rp5WpiSvv:r91pSlkqFGICii15HrgYjTMIrfWESvv

    Score
    10/10
    formbooktofseem82discoveryevasionpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

New Service

1
T1050

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

6
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks