General

  • Target

    916605b32ad795005cb071ec793e23c2a4bcdf88.exe

  • Size

    635KB

  • Sample

    211019-mjrbdagehl

  • MD5

    5d86cd9be03802d577a215ac3ec0dce1

  • SHA1

    916605b32ad795005cb071ec793e23c2a4bcdf88

  • SHA256

    00d211d4c0664cdeab245f8186a52a2f0486a2c910d28bcd69228a8b75fce113

  • SHA512

    42f9414b973be42246058702a5dffb632817e3465a79f8f4d48b37f680cafb999d1a8d709ec95303394afed8cb9298f017363e6b77fc6a5736428a8bf290286e

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k9d0

C2

http://www.dotgroup-email.com/k9d0/

Decoy

flourishpodcast.xyz

xn--nga.group

music-tomato.com

motory.store

arrivehike.info

xn--diseowebseo-4db.com

centpourcentsons.com

qnnjja005.xyz

annielynnrose.com

darlaevans.com

door-maximum.com

chinataibaifen.com

stickerhicks.com

ta2gamesstudio.com

jendelanews.com

milestoneneuro.com

premierconciergehomes.com

exitcounter.com

jrsway.com

famurainmobiliaria.com

Extracted

Family

warzonerat

C2

kw9d0w.duckdns.org:4192

Targets

    • Target

      916605b32ad795005cb071ec793e23c2a4bcdf88.exe

    • Size

      635KB

    • MD5

      5d86cd9be03802d577a215ac3ec0dce1

    • SHA1

      916605b32ad795005cb071ec793e23c2a4bcdf88

    • SHA256

      00d211d4c0664cdeab245f8186a52a2f0486a2c910d28bcd69228a8b75fce113

    • SHA512

      42f9414b973be42246058702a5dffb632817e3465a79f8f4d48b37f680cafb999d1a8d709ec95303394afed8cb9298f017363e6b77fc6a5736428a8bf290286e

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Formbook Payload

    • Warzone RAT Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Discovery

System Information Discovery

1
T1082

Collection

Email Collection

1
T1114

Tasks