Overview

overview

10

Static

static

CORMATEX -...ST.exe

windows7_x64

CORMATEX -...ST.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CORMATEX - INQUIRY LIST.exe

  • Size

    455KB

  • Sample

    211102-lnr8sshbgl

  • MD5

    83657e3c15dcfc619e9c23a0aa2b3e80

  • SHA1

    e1325f866acc1f37b64a79895c1a295fe3328d3d

  • SHA256

    5f75a4cd779707129db4deb97e834d4fe3e7d41d576d9a2078b855c790736c74

  • SHA512

    5f000d46efea552c7bf184b541fc0a59890614b133d9ed4fcdb952411d91d9ce4f5f07de24796adb59190dbbaeb06dc3044a74057f18ed760d8d86c7e17c270a

Score
10/10
formbookwarzoneratcnp0collectioninfostealerratspywarestealersuricatatrojan

Malware Config

Extracted

Family

warzonerat

C2

45.137.22.70:4198

Extracted

Family

formbook

Version

4.1

Campaign

cnp0

C2

http://www.ccnsv.net/cnp0/

Decoy

jiarenyuanhunlian.com

xquizitelashesnwaxx.com

rentinerie.com

herbalpedia-id.com

openseagames.com

re-swap.com

william-cook.com

segensv.com

versebay.com

brendanlairdsound.com

bypestor.com

hospitaldelpc.net

wwwroadrunnerfinancial.com

waterhammerstudios.com

hustleandbank.photography

secure01bchslogin.com

rarepeperanking.com

greatland.company

happybirthdayjewel.com

raheok.store

Targets

    • Target

      CORMATEX - INQUIRY LIST.exe

    • Size

      455KB

    • MD5

      83657e3c15dcfc619e9c23a0aa2b3e80

    • SHA1

      e1325f866acc1f37b64a79895c1a295fe3328d3d

    • SHA256

      5f75a4cd779707129db4deb97e834d4fe3e7d41d576d9a2078b855c790736c74

    • SHA512

      5f000d46efea552c7bf184b541fc0a59890614b133d9ed4fcdb952411d91d9ce4f5f07de24796adb59190dbbaeb06dc3044a74057f18ed760d8d86c7e17c270a

    Score
    10/10
    formbookwarzoneratcnp0collectioninfostealerratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Warzone RAT Payload

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks