formbook | 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e

General

Target

SecuriteInfo.com.Win32.PWSX-gen.21551.exe
Size

629KB
MD5

eebb33a5375ffd40682c86deea752033
SHA1

8ed7b849ba2829a164ee569995f2d4d8a8d90924
SHA256

8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e
SHA512

77b5fb3046040512a93e4e7069a5e4ded1362c2913b928232d00be416f93619c21e5a3aef20516336eb81e7c4067f88ae67caeada31ddda7480b0a5e3fcf5fe5
SSDEEP

12288:DK0YOwqVT+BnEymdHekIrOuPhKPrbgAoOxCzSb0c6gb/wM4IKkR:DqO7VDVdDIrOusrbZoGWy0c9wM4IJ

Score

10^/10

formbook dz25 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dz25

Decoy

sdw123.com

theflower-jeju.com

bigbargins.shop

xn--grsdetetizao-dcb9c.site

visionprobiz.com

ebruunalsigorta.xyz

51tree.net

tommeynadier.com

spx21.com

researchupdatehub.com

rserveohio.com

schemaconsultant.com

ec-peleti.com

songkokgelhq.shop

sixfigureswithkarah.net

quickfinancebrokerage.com

alliance-couverture.com

heartlandinnovates.com

art-friday.online

curi-o-rama.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2532-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2532-13-0x0000000000401000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21551.exe

description	pid	process	target process
PID 2920 set thread context of 2532	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21551.exeSecuriteInfo.com.Win32.PWSX-gen.21551.exepowershell.exe

pid	process
2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
2532	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21551.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe
Token: SeDebugPrivilege 2040 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21551.exe

description	pid	process	target process
PID 2920 wrote to memory of 2040	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	powershell.exe
PID 2920 wrote to memory of 2040	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	powershell.exe
PID 2920 wrote to memory of 2040	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	powershell.exe
PID 2920 wrote to memory of 2040	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	powershell.exe
PID 2920 wrote to memory of 2532	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
PID 2920 wrote to memory of 2532	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
PID 2920 wrote to memory of 2532	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
PID 2920 wrote to memory of 2532	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
PID 2920 wrote to memory of 2532	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
PID 2920 wrote to memory of 2532	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
PID 2920 wrote to memory of 2532	2920	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2532

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-19-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-24-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-23-0x0000000002D90000-0x0000000002DD0000-memory.dmp

Filesize
256KB

Download
memory/2040-22-0x0000000002D90000-0x0000000002DD0000-memory.dmp

Filesize
256KB

Download
memory/2040-21-0x0000000002D90000-0x0000000002DD0000-memory.dmp

Filesize
256KB

Download
memory/2040-20-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-13-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2532-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2532-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-14-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/2920-16-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-15-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-1-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-5-0x00000000049C0000-0x0000000004A36000-memory.dmp

Filesize
472KB

Download
memory/2920-4-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2920-3-0x00000000004C0000-0x00000000004DA000-memory.dmp

Filesize
104KB

Download
memory/2920-2-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/2920-0-0x0000000000870000-0x000000000090A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads