General
-
Target
ef76be173c03ffd56f7b5607b65c7fd8d4833d6b76be683f1e7fd82fd9f86900
-
Size
271KB
-
Sample
220521-cbbkvadee7
-
MD5
3abf5b51d0697b600e3d9110aae65c1b
-
SHA1
f15b5f529fab8865e02abedb7ea4b539059a5882
-
SHA256
ef76be173c03ffd56f7b5607b65c7fd8d4833d6b76be683f1e7fd82fd9f86900
-
SHA512
69c876caa5b3f73b66317051976c9698ad6486026d7d39a0b161ef534c8a0148d30dac86c4dfbbe3856df333a47d852e7aee2630011410c94aee9694a072c5af
Malware Config
Extracted
formbook
4.0
jac0
chatbot-consulting.com
alynt.info
saudiarabianwomenjobs.biz
kingtour.info
poshlacore.com
hypnosetherapist.com
tampahurricanrelief.com
qqgan16.com
tag-designco.com
viaeviastaff.com
unhosting.today
apple-request.info
whitesauce.net
627evq.info
mygolfingwarehouse.com
materiaprojects.com
rj-ipt.net
cordences.com
invescoapconference.com
supplementcult.com
Targets
-
-
Target
HSBC Payment Advice.bat
-
Size
329KB
-
MD5
3fa896fb15113a55eef386e3c00c6897
-
SHA1
9b41de7e652c801ecd1dfc266983dd1675d90a3c
-
SHA256
a5a17e29758a200bd8bd3805f5b1f292a236ee994274033ee1953ec7e9690db3
-
SHA512
e3f95d33f12de8eda7e1602d04f4c6f6539645d2275133fca87fb9687971d5d03db6a033deb21f69e4be808fb68c2793a0910a27b683ca15f7884ae977b36215
Score10/10-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Adds policy Run key to start application
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-