formbook | a7ac86859df3916a97fb2dff315541ad5f53075a6d4d6f151478ff083192ea24 | Triage

Submit
Reports

Overview

overview

Static

static

RFQ#7018.exe

windows7_x64

RFQ#7018.exe

windows10-2004_x64

Sharing

General

Target

a7ac86859df3916a97fb2dff315541ad5f53075a6d4d6f151478ff083192ea24
Size

266KB
Sample

220521-bqhf9sfcfp
MD5

b6c0965a4ddfd56bd4cc9c7f0b01d82b
SHA1

832f5a884eb899849876ad9ce899df101dc56acd
SHA256

a7ac86859df3916a97fb2dff315541ad5f53075a6d4d6f151478ff083192ea24
SHA512

4169c90190316689d4e1452f8c3ddcf6cf5190fb8623755fd06506490ebb725973153a010c61beb9c58bfa8eb8c90355f09308b146e680e0db382f2f939096f1

Score

10^/10

formbook 20w coreentity persistence rat rezer0 spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

RFQ#7018.exe

Resource

win7-20220414-en

formbook 20w coreentity rat rezer0 spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

RFQ#7018.exe

Resource

win10v2004-20220414-en

formbook 20w persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

20w

Decoy

cofounder.technology

mrbajaf.com

xn--w9s874cfjq5fk.com

haliciogluhali.net

vanessadunfordhere.com

lookguy.win

91javac.com

goldennd.com

nwatheeliteteam.net

tumpukganda.com

clarservicios.com

koghana.com

workingwithroland.com

yellowsocialbox.com

under-dawg.com

sdtjtzyz.com

banditaerialproductions.com

newssmog.com

tefnmp.men

rebelialabel.com

shubhankarthinks.com

weldlngwarehouseinc.com

cxwlkjgs.com

sfbtadvertising.com

just-climb-it.com

abigailstales.net

erreapeworld.com

ujoi0cb3td.com

adhitshet.com

loi-mezard-invest.com

shimanami-guesthouse.com

5bu3.com

koszr.info

shopgoperinnovation.com

matthiasdittert.com

stiffeducation.com

projectoverflowinc.com

v5rayp.club

dqklfr.info

jacobsonfordl.com

chicagobps.biz

bsateenalsharq.com

238bifa.com

kairui.ink

lai2151.com

simplysavvysolutions.com

watertable.win

robotica.tech

avggrfx.com

teleportcafe.com

712roofing.com

07hosting.com

quiltlux.com

implantcyrkonowy.com

gnbaccelerator.com

negusangel.com

best1caratdiamondrings.com

elizabethlampertpr.net

pinpointlocalsacramento.com

skinstradesarea.com

morganhelps.com

divarium.com

njswd.com

bfmjgame.com

nyoxibwer.com

Targets

- Target
  
  RFQ#7018.exe
- Size
  
  304KB
- MD5
  
  ff63351b26aa98482e65c848d3c81dba
- SHA1
  
  a12eac529a3e6f4f54ef3132077ede6fadac14ee
- SHA256
  
  e2234312d9f3cca21a317e8fddb427b2dd315cd69f9c1cc3606016c154fa4182
- SHA512
  
  656a29f833f50921196bcee13f39ad6eb2c2f7f4aaedf471b3517d6b366354579e3f103d2e2ac3c398b5a1be647149825d58f240defd07a430a6aa3f811fedd5
Score

10^/10

formbook 20w coreentity rat rezer0 spyware stealer trojan persistence suricata
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbook20wcoreentityratrezer0spywarestealertrojan

behavioral2

formbook20wpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy