Overview

overview

10

Static

static

PO-25 date...20.exe

windows7_x64

10

PO-25 date...20.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO-25 dated 4th., 2020.exe

  • Size

    467KB

  • Sample

    201109-4z7mx3xljn

  • MD5

    2dac96d6f34fae50fe8f431126801ed3

  • SHA1

    87e09ae244daa9cde03a23174a659260fdd33325

  • SHA256

    8cac0e47c8769e535bb8d4c6fc749aec4be79589a303cc89144cf07b2ba91b91

  • SHA512

    3a72a1414f5eb15229c596d282970018d916bdeb83c2bda5a00d98f50a7606f509b935d99689fdd8ed4ada6665c58bc690884f9daf28f910e693684da772ea24

Score
10/10
formbookpersistenceratrezer0spywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.covpsychiz.info/sg03/

Decoy

resuisse.com

nomoreblow.com

eachmissive.com

ilmionapoli.com

boxingtechnics.com

cognosinstitute.com

wheresmyredun.com

godashin.com

suit-brands.com

fcesr.com

askgalago.com

ravencanyondesigns.com

bianxuexiao.com

hypno-hacks.com

techcarney.com

racingandrecipes.com

malsfoundation.us

liminalspirits.com

jiralabs.com

calebdavidsmith.com

Targets

    • Target

      PO-25 dated 4th., 2020.exe

    • Size

      467KB

    • MD5

      2dac96d6f34fae50fe8f431126801ed3

    • SHA1

      87e09ae244daa9cde03a23174a659260fdd33325

    • SHA256

      8cac0e47c8769e535bb8d4c6fc749aec4be79589a303cc89144cf07b2ba91b91

    • SHA512

      3a72a1414f5eb15229c596d282970018d916bdeb83c2bda5a00d98f50a7606f509b935d99689fdd8ed4ada6665c58bc690884f9daf28f910e693684da772ea24

    Score
    10/10
    formbookratrezer0spywarestealertrojanpersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • rezer0

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks