formbook | a8f5392112f282b9d32749631c3d85fc6b568dd0b3fe91ffb8c5c7215e3f7114

General

Target

SecuriteInfocomTrojanGene.exe
Size

261KB
MD5

b3368c7d14c040c8734d69b5bbc0c635
SHA1

d34224b8b7e01e22292a7eac678d337f00834a2b
SHA256

a8f5392112f282b9d32749631c3d85fc6b568dd0b3fe91ffb8c5c7215e3f7114
SHA512

5b036fe1a1650b8fbf03b2d4a91692ad271ce3a7fd572d6256e7b8aa71d9a8849b610865e782d2ab8566b7c44ee61af8965ab922d9e7ea552cb04734aee39c34
SSDEEP

3072:FJ2S2L6KbqDCwcrMEEKsmO39oW1jSAI+ltOJ7y4UjjiJ0bUSgSBQ8QNn9lmDe5+W:F8LxBszXOyrSJm/bQN9laFexrODdtKRf

Score

10^/10

formbook dn7r rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn7r

Decoy

eventphotographerdfw.com

thehalalcoinstaking.com

philipfaziofineart.com

intercoh.com

gaiaseyephotography.com

chatbotforrealestate.com

lovelancemg.com

marlieskasberger.com

elcongoenespanol.info

lepirecredit.com

distribution-concept.com

e99game.com

exit11festival.com

twodollartoothbrushclub.com

cocktailsandlawn.com

performimprove.network

24horas-telefono-11840.com

cosmossify.com

kellenleote.com

perovskite.energy

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1812-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1812-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4620-154-0x0000000000140000-0x000000000016F000-memory.dmp	formbook
behavioral2/memory/4620-156-0x0000000000140000-0x000000000016F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

SecuriteInfocomTrojanGene.exe

pid process

2480 SecuriteInfocomTrojanGene.exe

pid	process
2480	SecuriteInfocomTrojanGene.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfocomTrojanGene.exeSecuriteInfocomTrojanGene.exesvchost.exe

description	pid	process	target process
PID 2480 set thread context of 1812	2480	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 1812 set thread context of 3088	1812	SecuriteInfocomTrojanGene.exe	Explorer.EXE
PID 4620 set thread context of 3088	4620	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

SecuriteInfocomTrojanGene.exesvchost.exe

pid	process
1812	SecuriteInfocomTrojanGene.exe
1812	SecuriteInfocomTrojanGene.exe
1812	SecuriteInfocomTrojanGene.exe
1812	SecuriteInfocomTrojanGene.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe
4620	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3088 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

SecuriteInfocomTrojanGene.exesvchost.exe

pid process

1812 SecuriteInfocomTrojanGene.exe
1812 SecuriteInfocomTrojanGene.exe
1812 SecuriteInfocomTrojanGene.exe
4620 svchost.exe
4620 svchost.exe

pid	process
3088	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfocomTrojanGene.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1812	SecuriteInfocomTrojanGene.exe
Token: SeDebugPrivilege	4620	svchost.exe
Token: SeShutdownPrivilege	3088	Explorer.EXE
Token: SeCreatePagefilePrivilege	3088	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfocomTrojanGene.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 2480 wrote to memory of 1812	2480	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 2480 wrote to memory of 1812	2480	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 2480 wrote to memory of 1812	2480	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 2480 wrote to memory of 1812	2480	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 2480 wrote to memory of 1812	2480	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 2480 wrote to memory of 1812	2480	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 3088 wrote to memory of 4620	3088	Explorer.EXE	svchost.exe
PID 3088 wrote to memory of 4620	3088	Explorer.EXE	svchost.exe
PID 3088 wrote to memory of 4620	3088	Explorer.EXE	svchost.exe
PID 4620 wrote to memory of 920	4620	svchost.exe	cmd.exe
PID 4620 wrote to memory of 920	4620	svchost.exe	cmd.exe
PID 4620 wrote to memory of 920	4620	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3088

C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"
3⤵
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoE8BB.tmp\bvxzu.dll
Filesize
47KB

MD5
ea41f063d08a24c992a9db51ebd1fd7f

SHA1
f28dda174cb32acfdc47cae0a101de53ab78d3a4

SHA256
9b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee

SHA512
ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoE8BB.tmp\bvxzu.dll
Filesize
47KB

MD5
ea41f063d08a24c992a9db51ebd1fd7f

SHA1
f28dda174cb32acfdc47cae0a101de53ab78d3a4

SHA256
9b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee

SHA512
ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58

Download Submit
memory/1812-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-145-0x0000000000A50000-0x0000000000D9A000-memory.dmp

Filesize
3.3MB

Download
memory/1812-147-0x00000000005D0000-0x00000000005E5000-memory.dmp

Filesize
84KB

Download
memory/1812-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-140-0x00000000743E0000-0x00000000743F0000-memory.dmp

Filesize
64KB

Download
memory/2480-143-0x00000000743E0000-0x00000000743F0000-memory.dmp

Filesize
64KB

Download
memory/3088-148-0x00000000087C0000-0x00000000088CB000-memory.dmp

Filesize
1.0MB

Download
memory/3088-159-0x0000000008F30000-0x0000000009089000-memory.dmp

Filesize
1.3MB

Download
memory/3088-160-0x0000000008F30000-0x0000000009089000-memory.dmp

Filesize
1.3MB

Download
memory/3088-162-0x0000000008F30000-0x0000000009089000-memory.dmp

Filesize
1.3MB

Download
memory/4620-150-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/4620-153-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/4620-154-0x0000000000140000-0x000000000016F000-memory.dmp

Filesize
188KB

Download
memory/4620-155-0x0000000001000000-0x000000000134A000-memory.dmp

Filesize
3.3MB

Download
memory/4620-156-0x0000000000140000-0x000000000016F000-memory.dmp

Filesize
188KB

Download
memory/4620-158-0x0000000000A50000-0x0000000000AE4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads