General
-
Target
TW_PURCHASE ORDER _BENTEX LTD_26201.exe
-
Size
358KB
-
Sample
211028-fypyjahcb5
-
MD5
df979ba0a0557ff574d9ebaec0d3e0bb
-
SHA1
9d6733cbc7a3a70bfb3be841aeb78e9dff6045f1
-
SHA256
221f20319954181ff4d7b4edb299d7eb00c2a20bc1c6c3dff99d2374ae084000
-
SHA512
dea063287dbd7617df81e0ec4698df04d8bc337ddb561bc3a3037283aa2e9b7296e112ae06b676f4b2e3e90fff528b4f31c3b7f8fa0294e7181ca8bc93994f51
Malware Config
Extracted
warzonerat
papi1.ddns.net:10190
Extracted
formbook
4.1
pp1a
http://www.christophebigot.com/pp1a/
ytwdpk.com
1afs1f.com
yougeshpal.com
diabetologist.tips
empregodonovomilenio.com
ztransact.online
doneforyoueventbrandingkit.com
yl20215.top
teashalu.xyz
kpscreations.com
hxs1688.com
introtostudy.com
theradicalsvisions.com
trammtd.online
navsecurity.online
loit711.com
rufly.link
iwyaknfc.icu
1bet11.net
niguns.com
Targets
-
-
Target
TW_PURCHASE ORDER _BENTEX LTD_26201.exe
-
Size
358KB
-
MD5
df979ba0a0557ff574d9ebaec0d3e0bb
-
SHA1
9d6733cbc7a3a70bfb3be841aeb78e9dff6045f1
-
SHA256
221f20319954181ff4d7b4edb299d7eb00c2a20bc1c6c3dff99d2374ae084000
-
SHA512
dea063287dbd7617df81e0ec4698df04d8bc337ddb561bc3a3037283aa2e9b7296e112ae06b676f4b2e3e90fff528b4f31c3b7f8fa0294e7181ca8bc93994f51
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Formbook Payload
-
Warzone RAT Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-