Overview

overview

10

Static

static

000040021.exe

windows7_x64

10

000040021.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    000040021.exe

  • Size

    179KB

  • Sample

    220421-bf3pfsdaa5

  • MD5

    6f6f64b82c949798ec80ecddea570ba9

  • SHA1

    9895fe43bf8b037ec9110294e681410f419cf64b

  • SHA256

    5978ce4905969580753f948beb8265a13d133cf29f9ddb206475a7f06f8fc885

  • SHA512

    263308644df6dfc89d2466646ec7fda1092150128af96b8c62050c1b30f8ee0f8b0fa4ed03a375f2c78e5f5926e7b043db65b9a8b484b1d5a88760bb628e6cc6

Score
10/10
formbooknetwireoh75botnetpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

denizgidam.com

6cc06.com

charlottewaldburgzeil.com

medijanus.com

qingdaoyiersan.com

datcabilgisayar.xyz

111439d.com

xn--1ruo40k.com

wu6enxwcx5h3.xyz

vnscloud.net

brtka.xyz

showztime.com

promocoesdedezenbro.com

wokpy.com

chnowuk.online

rockshotscafe.com

pelrjy.com

nato-riness.com

feixiang-chem.com

thcoinexchange.com

Extracted

Family

netwire

C2

127.0.0.1:3360

212.192.246.209:141
Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    04-22

  • install_path

  • keylogger_dir

  • lock_executable

    false

  • mutex

  • offline_keylogger

    false

  • password

    123456

  • registry_autorun

    false

  • startup_name

    �k

  • use_mutex

    false

Targets

    • Target

      000040021.exe

    • Size

      179KB

    • MD5

      6f6f64b82c949798ec80ecddea570ba9

    • SHA1

      9895fe43bf8b037ec9110294e681410f419cf64b

    • SHA256

      5978ce4905969580753f948beb8265a13d133cf29f9ddb206475a7f06f8fc885

    • SHA512

      263308644df6dfc89d2466646ec7fda1092150128af96b8c62050c1b30f8ee0f8b0fa4ed03a375f2c78e5f5926e7b043db65b9a8b484b1d5a88760bb628e6cc6

    Score
    10/10
    formbooknetwireoh75botnetpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Formbook Payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks