Overview

overview

10

Static

static

ORDER INQUIRY.exe

windows7_x64

10

ORDER INQUIRY.exe

windows10-2004_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    29a2494b73b9775e4dbaa708d8584f1ce1e6aae6c49d5589b18dbe066e4cb708

  • Size

    245KB

  • Sample

    220521-dtm72agcf7

  • MD5

    753f76dc719b6be39f1cf6ff22dd210f

  • SHA1

    6faa2e2d6b0ecbd8fc625e1ae106d2d1eec513af

  • SHA256

    29a2494b73b9775e4dbaa708d8584f1ce1e6aae6c49d5589b18dbe066e4cb708

  • SHA512

    3a990dc83254f040422963f521d88bf5c0e077d0653a07ee04c70a75f8a2643ffc61c9ed5105a7bee4b17ee7b716cca1cc64668e2df220c635cce3e66ccebf33

Score
10/10
formbook20wcoreentityratrezer0spywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

20w

Decoy

cofounder.technology

mrbajaf.com

xn--w9s874cfjq5fk.com

haliciogluhali.net

vanessadunfordhere.com

lookguy.win

91javac.com

goldennd.com

nwatheeliteteam.net

tumpukganda.com

clarservicios.com

koghana.com

workingwithroland.com

yellowsocialbox.com

under-dawg.com

sdtjtzyz.com

banditaerialproductions.com

newssmog.com

tefnmp.men

rebelialabel.com

Targets

    • Target

      ORDER INQUIRY.exe

    • Size

      279KB

    • MD5

      6bd95e18dbd55ab2bb32d2bdef0c88e6

    • SHA1

      5fb95f1577c4d4c810a2a663db4a87704031126e

    • SHA256

      27379cbd39dae5d145ff292ffd71387a5508bba83997177272742b486cb4e662

    • SHA512

      483301dd5b6198feab4dbaf0b17039a7b99e423a0c2eeaff609a1973d9b66cb3f22c1afab28769fb9a4530a2e3bb5b19ab3b2a62233807630db3ec6ffcb4fb32

    Score
    10/10
    formbook20wcoreentityratrezer0spywarestealertrojan

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks