formbook | 7077dc6b11200f419f78a5768af01a0134dbb398c70e373ddd5e5ba5f583472b | Triage

Submit
Reports

Overview

overview

Static

static

Contract D...ts.exe

windows7_x64

Contract D...ts.exe

windows10-2004_x64

Sharing

General

Target

7077dc6b11200f419f78a5768af01a0134dbb398c70e373ddd5e5ba5f583472b
Size

263KB
Sample

220521-bsz44acdf6
MD5

6195861513dc74e72eac71d6a0b83887
SHA1

02e5a65bb71f73ff5a045f270248e10531784704
SHA256

7077dc6b11200f419f78a5768af01a0134dbb398c70e373ddd5e5ba5f583472b
SHA512

b2d8864303c1162a3883f0060c764e99fdf8e2cba4d730d8c83f48c645ef6cdeca939ab040c09f1b8d4b4ba508260fbb81796ea94782a1b133cbf016bb0547a3

Score

10^/10

formbook nfl coreentity persistence rat rezer0 spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Contract Documents.exe

Resource

win7-20220414-en

formbook nfl coreentity rat rezer0 spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Contract Documents.exe

Resource

win10v2004-20220414-en

formbook nfl persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

nfl

Decoy

giacamp.net

qb51.party

mashalevine.com

russiasexdating.com

jitangyy.com

morockin.com

karoreiss.com

tractionhero.today

bienvenueenprovence.net

stormharbour.info

61999h.com

tryandcert.com

bestwaytosuccess.com

laobaochang.com

otomatiktente.com

rehpb.info

ivpdqb.info

dc-wv-wv-ie-q.com

goingmagic.com

cimachain.com

northernengage360.com

wastewatertreatment.systems

coinopy.com

shoudami.com

mobilbahis.world

qshkr.com

okccashforhouses.com

mattressesspot.com

fyou168.com

131bb6.com

browserangel.net

transliberte.com

bakir-sulfat.net

rossilawfirmny.com

timothy-kwan.com

sdhtxj.com

affluenttoronto.com

profile-lord.date

77eb0l.faith

worldcup.city

nytimesnews.net

sarahdigiulio.com

343manbet.com

archeryunion.com

bullitshield.com

wzhan.ink

thehamzas.info

fyrwrk.net

klassy-kinks.com

bolttorquechart.com

willingcake.com

mohameddarbal.com

e-chicha.com

healthyperfection.com

steklonti.com

beauxtaylor.com

186524.com

libertybarracks.com

urban-compositions.com

michaeljlee.net

planovafg1.com

merrint.com

416thencomassn.com

xn--2j1b95kqybe0ioxir3sl4c.com

salomdy.com

Targets

- Target
  
  Contract Documents.exe
- Size
  
  344KB
- MD5
  
  376d7e1871d7d432b255403e399e6334
- SHA1
  
  a2a852627172066b3fbd344abdb3aa985ec35b47
- SHA256
  
  6348a886a9796d2fa05cd1792d8299c1a3a66e016b04a115e34c47d49415714d
- SHA512
  
  2bd6de7794a465193331a590145c5422ba6ec607b4ec4b98662302e8d7763d41971ee5e84c92052f056a1b8b0584461d99db7cf81b457df08f6d7ef2d5e8436b
Score

10^/10

formbook nfl coreentity rat rezer0 spyware stealer trojan persistence suricata
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbooknflcoreentityratrezer0spywarestealertrojan

behavioral2

formbooknflpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy