Overview

overview

10

Static

static

HIC INTERN...TS.exe

windows7_x64

3

HIC INTERN...TS.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HIC INTERNATIONAL - REQUEST FOR QUOTATION DOCUMENTS.rar

  • Size

    608KB

  • Sample

    211023-qf5alscch9

  • MD5

    c23bbc7c985b841044e10c3bc6485db7

  • SHA1

    756055224e8b5da715ef13d9213423ce5ca0ba4c

  • SHA256

    03e298ddd47b9fec7e5fe7890b42806aa21544cc292bf115ca38f595a2a6b813

  • SHA512

    379d64ed745314b53ced00f2492af77b04c24c1ee7c672cd5b66eff07a28f90cd8117412b9627c9a1e3904958e6700e81647ed7048215dc1cf199f35dcabff22

Score
10/10
formbookwarzoneratcnp0collectioninfostealerratspywarestealertrojan

Malware Config

Extracted

Family

warzonerat

C2

45.137.22.70:4198

Extracted

Family

formbook

Version

4.1

Campaign

cnp0

C2

http://www.ccnsv.net/cnp0/

Decoy

jiarenyuanhunlian.com

xquizitelashesnwaxx.com

rentinerie.com

herbalpedia-id.com

openseagames.com

re-swap.com

william-cook.com

segensv.com

versebay.com

brendanlairdsound.com

bypestor.com

hospitaldelpc.net

wwwroadrunnerfinancial.com

waterhammerstudios.com

hustleandbank.photography

secure01bchslogin.com

rarepeperanking.com

greatland.company

happybirthdayjewel.com

raheok.store

Targets

    • Target

      HIC INTERNATIONAL - REQUEST FOR QUOTATION DOCUMENTS.exe

    • Size

      821KB

    • MD5

      577a4f4a604b0a05da9ec1781fd5894f

    • SHA1

      6117b837be45aed2122d1ef9e7dd6d9f3eaadadd

    • SHA256

      26b85e1456b150775c4d4a77a57be2e99ac5429998184c8a576adef665e9ac72

    • SHA512

      8f0f4dbe1520b6494754bceac6c16ea0a213bb91882eb76f012fdc3aeaffa4dd4d513272dff9356d950bbad0d0165c4ac0abaff1a99ded4692eb35c1123bc185

    Score
    10/10
    formbookwarzoneratcnp0collectioninfostealerratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Formbook Payload

      rat

    • Warzone RAT Payload

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks