Overview

overview

10

Static

static

Purchase O...nt.exe

windows7_x64

10

Purchase O...nt.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eb45c875c40e2da4a282032e52435a2f53225ee6f05e2ec109d246753151105e

  • Size

    274KB

  • Sample

    220521-ccc53agfer

  • MD5

    41950b2f7533691ef44ddf93138e4869

  • SHA1

    344c42ea10cb7192182d876054aec658a9dc0481

  • SHA256

    eb45c875c40e2da4a282032e52435a2f53225ee6f05e2ec109d246753151105e

  • SHA512

    08c2737d2214f61e96fbcdce1648a36a48aef43cd3b45d8a1aaed00d218fcf25d4a8114b015f4506ff1caf48dc4d155923d8d804bd510fb353abb6476bb357ea

Score
10/10
formbooky22coreentitypersistenceratrezer0spywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

y22

Decoy

hashafriyat.com

autoaccessorieshub.com

simelautomazioni.com

bulkappothecary.com

streaminglowcost.com

pixelraps.com

yyy9928.com

pigmansion.net

keyunix.com

bjbangshou.com

mindfulrace.com

fibuv.life

cambridgedesignpartnership.com

plumbeus.com

somebodydial911.com

atrishq.com

circcountry.com

ellenandjames.info

jeeprevivalstore.com

thetouchofjo.com

Targets

    • Target

      Purchase Order 77809 for acknowledgment.exe

    • Size

      329KB

    • MD5

      aa1570f6ee9ebb50240940d88401c8e4

    • SHA1

      b71b7448f02c4f0214d554ff5745671d24707e41

    • SHA256

      3f6ad3dcf88dadcb9c392ca1aac7c3bc063f22c56e5a1f5c568701da6063f950

    • SHA512

      dad0474addd1dc526068155ba5450a870c35da3fd69c51fc7ef595656a707275033b8a646f48f6ce0331167668f61909312c1ff6dee386345ebff26879b46164

    Score
    10/10
    formbooky22coreentityratrezer0spywarestealertrojanpersistencesuricata

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks