General
-
Target
0fa8c40b66010aa718362b8bb897a8ddbb90301af45f7741c1fc11c8ec1d1fbf
-
Size
331KB
-
Sample
220521-d13lasgfe5
-
MD5
debeeda2ebd46666ab7d156bfd4ca872
-
SHA1
4d2e794330e2e20495672562fa9fc1a4f03e0e42
-
SHA256
0fa8c40b66010aa718362b8bb897a8ddbb90301af45f7741c1fc11c8ec1d1fbf
-
SHA512
0ab9b340ea619946b43ece8f7ccd781d490e71f4499dfda2b06dcc623cea9e4a75fcfdb37c3db2f43c9e2d2d3cd3086cdd812128d7c4832d4aaa7e83adcc74c4
Malware Config
Extracted
formbook
4.1
p2p
sjaxdbcj.com
kamalsparsh.com
qwc.ink
skyblockservers.com
servantquarters.info
databuster.net
randomwalk.science
momeidou.com
oxim.us
heartdogstudios.com
grindskip.com
61jg.info
209bifa.com
shanti-company.com
arrqam.com
worldupbiz42.com
mdr-gni-treatment.info
homecenterpoint.com
zqxxnykj.com
www7777221.com
Targets
-
-
Target
sample
-
Size
360KB
-
MD5
3da0759681d198fe698227ccd07077e9
-
SHA1
bb4315e844e89f46f230a5172a5220ff7d60c80b
-
SHA256
b9c1be5f81b9261b1bb68fb0f667a57721bd04b750427a9382844c42d18dba6e
-
SHA512
3756319a44e054e5fe27274e22dc121863777ca5ed9876eee9b48cb32c90e1fa42a9310c10c644f9c59cf97e6846b3eaf63f1200b301c3630f8ee7224fca6db2
Score10/10-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-