formbook | a8f5392112f282b9d32749631c3d85fc6b568dd0b3fe91ffb8c5c7215e3f7114

General

Target

SecuriteInfocomTrojanGene.exe
Size

261KB
MD5

b3368c7d14c040c8734d69b5bbc0c635
SHA1

d34224b8b7e01e22292a7eac678d337f00834a2b
SHA256

a8f5392112f282b9d32749631c3d85fc6b568dd0b3fe91ffb8c5c7215e3f7114
SHA512

5b036fe1a1650b8fbf03b2d4a91692ad271ce3a7fd572d6256e7b8aa71d9a8849b610865e782d2ab8566b7c44ee61af8965ab922d9e7ea552cb04734aee39c34
SSDEEP

3072:FJ2S2L6KbqDCwcrMEEKsmO39oW1jSAI+ltOJ7y4UjjiJ0bUSgSBQ8QNn9lmDe5+W:F8LxBszXOyrSJm/bQN9laFexrODdtKRf

Score

10^/10

formbook dn7r rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn7r

Decoy

eventphotographerdfw.com

thehalalcoinstaking.com

philipfaziofineart.com

intercoh.com

gaiaseyephotography.com

chatbotforrealestate.com

lovelancemg.com

marlieskasberger.com

elcongoenespanol.info

lepirecredit.com

distribution-concept.com

e99game.com

exit11festival.com

twodollartoothbrushclub.com

cocktailsandlawn.com

performimprove.network

24horas-telefono-11840.com

cosmossify.com

kellenleote.com

perovskite.energy

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2624-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2624-148-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4944-154-0x0000000000600000-0x000000000062F000-memory.dmp	formbook
behavioral2/memory/4944-157-0x0000000000600000-0x000000000062F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

SecuriteInfocomTrojanGene.exe

pid process

1552 SecuriteInfocomTrojanGene.exe

pid	process
1552	SecuriteInfocomTrojanGene.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfocomTrojanGene.exeSecuriteInfocomTrojanGene.exeWWAHost.exe

description	pid	process	target process
PID 1552 set thread context of 2624	1552	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 2624 set thread context of 3116	2624	SecuriteInfocomTrojanGene.exe	Explorer.EXE
PID 4944 set thread context of 3116	4944	WWAHost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

SecuriteInfocomTrojanGene.exeWWAHost.exe

pid	process
2624	SecuriteInfocomTrojanGene.exe
2624	SecuriteInfocomTrojanGene.exe
2624	SecuriteInfocomTrojanGene.exe
2624	SecuriteInfocomTrojanGene.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe
4944	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3116 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

SecuriteInfocomTrojanGene.exeWWAHost.exe

pid process

2624 SecuriteInfocomTrojanGene.exe
2624 SecuriteInfocomTrojanGene.exe
2624 SecuriteInfocomTrojanGene.exe
4944 WWAHost.exe
4944 WWAHost.exe

pid	process
3116	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfocomTrojanGene.exeWWAHost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2624	SecuriteInfocomTrojanGene.exe
Token: SeDebugPrivilege	4944	WWAHost.exe
Token: SeShutdownPrivilege	3116	Explorer.EXE
Token: SeCreatePagefilePrivilege	3116	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfocomTrojanGene.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 1552 wrote to memory of 2624	1552	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 1552 wrote to memory of 2624	1552	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 1552 wrote to memory of 2624	1552	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 1552 wrote to memory of 2624	1552	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 1552 wrote to memory of 2624	1552	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 1552 wrote to memory of 2624	1552	SecuriteInfocomTrojanGene.exe	SecuriteInfocomTrojanGene.exe
PID 3116 wrote to memory of 4944	3116	Explorer.EXE	WWAHost.exe
PID 3116 wrote to memory of 4944	3116	Explorer.EXE	WWAHost.exe
PID 3116 wrote to memory of 4944	3116	Explorer.EXE	WWAHost.exe
PID 4944 wrote to memory of 1756	4944	WWAHost.exe	cmd.exe
PID 4944 wrote to memory of 1756	4944	WWAHost.exe	cmd.exe
PID 4944 wrote to memory of 1756	4944	WWAHost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"
3⤵
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsk5EE5.tmp\bvxzu.dll
Filesize
47KB

MD5
ea41f063d08a24c992a9db51ebd1fd7f

SHA1
f28dda174cb32acfdc47cae0a101de53ab78d3a4

SHA256
9b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee

SHA512
ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk5EE5.tmp\bvxzu.dll
Filesize
47KB

MD5
ea41f063d08a24c992a9db51ebd1fd7f

SHA1
f28dda174cb32acfdc47cae0a101de53ab78d3a4

SHA256
9b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee

SHA512
ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58

Download Submit
memory/1552-140-0x0000000074F20000-0x0000000074F30000-memory.dmp

Filesize
64KB

Download
memory/1552-144-0x0000000074F20000-0x0000000074F30000-memory.dmp

Filesize
64KB

Download
memory/2624-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-143-0x0000000000A60000-0x0000000000DAA000-memory.dmp

Filesize
3.3MB

Download
memory/2624-146-0x0000000000A00000-0x0000000000A15000-memory.dmp

Filesize
84KB

Download
memory/2624-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-160-0x0000000008B10000-0x0000000008C09000-memory.dmp

Filesize
996KB

Download
memory/3116-147-0x0000000008A10000-0x0000000008B06000-memory.dmp

Filesize
984KB

Download
memory/3116-163-0x0000000008B10000-0x0000000008C09000-memory.dmp

Filesize
996KB

Download
memory/3116-161-0x0000000008B10000-0x0000000008C09000-memory.dmp

Filesize
996KB

Download
memory/4944-149-0x0000000000710000-0x00000000007EC000-memory.dmp

Filesize
880KB

Download
memory/4944-157-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/4944-159-0x00000000011E0000-0x0000000001274000-memory.dmp

Filesize
592KB

Download
memory/4944-155-0x0000000001540000-0x000000000188A000-memory.dmp

Filesize
3.3MB

Download
memory/4944-154-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/4944-153-0x0000000000710000-0x00000000007EC000-memory.dmp

Filesize
880KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads