Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
09-07-2023 12:30
General
-
Target
SecuriteInfo.com.Trojan.Generic.30369079.30803.exe
-
Size
261KB
-
MD5
b3368c7d14c040c8734d69b5bbc0c635
-
SHA1
d34224b8b7e01e22292a7eac678d337f00834a2b
-
SHA256
a8f5392112f282b9d32749631c3d85fc6b568dd0b3fe91ffb8c5c7215e3f7114
-
SHA512
5b036fe1a1650b8fbf03b2d4a91692ad271ce3a7fd572d6256e7b8aa71d9a8849b610865e782d2ab8566b7c44ee61af8965ab922d9e7ea552cb04734aee39c34
-
SSDEEP
3072:FJ2S2L6KbqDCwcrMEEKsmO39oW1jSAI+ltOJ7y4UjjiJ0bUSgSBQ8QNn9lmDe5+W:F8LxBszXOyrSJm/bQN9laFexrODdtKRf
Malware Config
Extracted
formbook
4.1
dn7r
eventphotographerdfw.com
thehalalcoinstaking.com
philipfaziofineart.com
intercoh.com
gaiaseyephotography.com
chatbotforrealestate.com
lovelancemg.com
marlieskasberger.com
elcongoenespanol.info
lepirecredit.com
distribution-concept.com
e99game.com
exit11festival.com
twodollartoothbrushclub.com
cocktailsandlawn.com
performimprove.network
24horas-telefono-11840.com
cosmossify.com
kellenleote.com
perovskite.energy
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.30369079.30803.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.30369079.30803.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.30369079.30803.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.30369079.30803.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsiD3B.tmp\bvxzu.dllFilesize
47KB
MD5ea41f063d08a24c992a9db51ebd1fd7f
SHA1f28dda174cb32acfdc47cae0a101de53ab78d3a4
SHA2569b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee
SHA512ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58
-
C:\Users\Admin\AppData\Local\Temp\nsiD3B.tmp\bvxzu.dllFilesize
47KB
MD5ea41f063d08a24c992a9db51ebd1fd7f
SHA1f28dda174cb32acfdc47cae0a101de53ab78d3a4
SHA2569b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee
SHA512ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58
-
memory/4240-140-0x00000000749D0000-0x00000000749E0000-memory.dmpFilesize
64KB
-
memory/4240-143-0x00000000749D0000-0x00000000749E0000-memory.dmpFilesize
64KB
-
memory/5036-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5036-146-0x0000000000A00000-0x0000000000D4A000-memory.dmpFilesize
3.3MB