formbook | a8f5392112f282b9d32749631c3d85fc6b568dd0b3fe91ffb8c5c7215e3f7114

General

Target

SecuriteInfocomTrojanGene.exe
Size

261KB
MD5

b3368c7d14c040c8734d69b5bbc0c635
SHA1

d34224b8b7e01e22292a7eac678d337f00834a2b
SHA256

a8f5392112f282b9d32749631c3d85fc6b568dd0b3fe91ffb8c5c7215e3f7114
SHA512

5b036fe1a1650b8fbf03b2d4a91692ad271ce3a7fd572d6256e7b8aa71d9a8849b610865e782d2ab8566b7c44ee61af8965ab922d9e7ea552cb04734aee39c34
SSDEEP

3072:FJ2S2L6KbqDCwcrMEEKsmO39oW1jSAI+ltOJ7y4UjjiJ0bUSgSBQ8QNn9lmDe5+W:F8LxBszXOyrSJm/bQN9laFexrODdtKRf

Score

10^/10

formbook dn7r rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn7r

Decoy

eventphotographerdfw.com

thehalalcoinstaking.com

philipfaziofineart.com

intercoh.com

gaiaseyephotography.com

chatbotforrealestate.com

lovelancemg.com

marlieskasberger.com

elcongoenespanol.info

lepirecredit.com

distribution-concept.com

e99game.com

exit11festival.com

twodollartoothbrushclub.com

cocktailsandlawn.com

performimprove.network

24horas-telefono-11840.com

cosmossify.com

kellenleote.com

perovskite.energy

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3032-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/3032-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2972-73-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2972-75-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2872 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

SecuriteInfocomTrojanGene.exe

pid process

2308 SecuriteInfocomTrojanGene.exe

pid	process
2872	cmd.exe

pid	process
2308	SecuriteInfocomTrojanGene.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfocomTrojanGene.exeSecuriteInfocomTrojanGene.execmmon32.exe

description	pid	process	target process
PID 2308 set thread context of 3032	2308	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 3032 set thread context of 1232	3032	SecuriteInfocomTrojanGene.exe	Explorer.EXE
PID 2972 set thread context of 1232	2972	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

SecuriteInfocomTrojanGene.execmmon32.exe

pid	process
3032	SecuriteInfocomTrojanGene.exe
3032	SecuriteInfocomTrojanGene.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe
2972	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

SecuriteInfocomTrojanGene.execmmon32.exe

pid process

3032 SecuriteInfocomTrojanGene.exe
3032 SecuriteInfocomTrojanGene.exe
3032 SecuriteInfocomTrojanGene.exe
2972 cmmon32.exe
2972 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfocomTrojanGene.execmmon32.exe

description pid process

Token: SeDebugPrivilege 3032 SecuriteInfocomTrojanGene.exe
Token: SeDebugPrivilege 2972 cmmon32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE

pid	process
1232	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3032	SecuriteInfocomTrojanGene.exe
Token: SeDebugPrivilege	2972	cmmon32.exe

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SecuriteInfocomTrojanGene.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 2308 wrote to memory of 3032	2308	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 2308 wrote to memory of 3032	2308	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 2308 wrote to memory of 3032	2308	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 2308 wrote to memory of 3032	2308	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 2308 wrote to memory of 3032	2308	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 2308 wrote to memory of 3032	2308	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 2308 wrote to memory of 3032	2308	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 1232 wrote to memory of 2972	1232	Explorer.EXE	cmmon32.exe
PID 1232 wrote to memory of 2972	1232	Explorer.EXE	cmmon32.exe
PID 1232 wrote to memory of 2972	1232	Explorer.EXE	cmmon32.exe
PID 1232 wrote to memory of 2972	1232	Explorer.EXE	cmmon32.exe
PID 2972 wrote to memory of 2872	2972	cmmon32.exe	cmd.exe
PID 2972 wrote to memory of 2872	2972	cmmon32.exe	cmd.exe
PID 2972 wrote to memory of 2872	2972	cmmon32.exe	cmd.exe
PID 2972 wrote to memory of 2872	2972	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"
3⤵
- Deletes itself
PID:2872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
705293292c28b3145cadf9136b755103

SHA1
5cf6044f84d25b0edd90e95dfb216086d08030bd

SHA256
20a9f6aee42486e8beec69f272680e583ce830b8a48c2bcc7c6abae7f2b05117

SHA512
d73b3b6d2f5eca1b63c3ad0b6534587b28ddb10d6cf2de928af42c6598debff7da31cb65bab6bf902a9b4175fe9b67efa6f947d23727e585d6e0cae3c5f097ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEA71.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarED42.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse2DB7.tmp\bvxzu.dll
Filesize
47KB

MD5
ea41f063d08a24c992a9db51ebd1fd7f

SHA1
f28dda174cb32acfdc47cae0a101de53ab78d3a4

SHA256
9b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee

SHA512
ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58

Download Submit
\Users\Admin\AppData\Local\Temp\nse2DB7.tmp\bvxzu.dll
Filesize
47KB

MD5
ea41f063d08a24c992a9db51ebd1fd7f

SHA1
f28dda174cb32acfdc47cae0a101de53ab78d3a4

SHA256
9b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee

SHA512
ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58

Download Submit
memory/1232-77-0x0000000000440000-0x0000000000540000-memory.dmp

Filesize
1024KB

Download
memory/1232-82-0x0000000006AC0000-0x0000000006C2C000-memory.dmp

Filesize
1.4MB

Download
memory/1232-68-0x0000000003F20000-0x0000000003FE1000-memory.dmp

Filesize
772KB

Download
memory/1232-80-0x0000000006AC0000-0x0000000006C2C000-memory.dmp

Filesize
1.4MB

Download
memory/1232-79-0x0000000006AC0000-0x0000000006C2C000-memory.dmp

Filesize
1.4MB

Download
memory/2308-63-0x0000000074A00000-0x0000000074A10000-memory.dmp

Filesize
64KB

Download
memory/2972-73-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2972-75-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2972-74-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Filesize
3.0MB

Download
memory/2972-78-0x0000000001E30000-0x0000000001EC4000-memory.dmp

Filesize
592KB

Download
memory/2972-72-0x0000000000A20000-0x0000000000A2D000-memory.dmp

Filesize
52KB

Download
memory/2972-70-0x0000000000A20000-0x0000000000A2D000-memory.dmp

Filesize
52KB

Download
memory/3032-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-67-0x0000000000350000-0x0000000000365000-memory.dmp

Filesize
84KB

Download
memory/3032-65-0x0000000000740000-0x0000000000A43000-memory.dmp

Filesize
3.0MB

Download
memory/3032-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads