Overview

overview

10

Static

static

QRFN107571083IMB.exe

windows7_x64

10

QRFN107571083IMB.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20e3c744070c72a6ec5b03e044f996756bee8b49d5c9d6b852adaa71b15df670

  • Size

    351KB

  • Sample

    220521-dwmdhsbdej

  • MD5

    73ab6282340d7e818e7e714c6f5de271

  • SHA1

    c36f965b9fa423c9d52ca5942e9bff1aa1a31893

  • SHA256

    20e3c744070c72a6ec5b03e044f996756bee8b49d5c9d6b852adaa71b15df670

  • SHA512

    903e76ad4b86fa5ae4dad6ed3717cc1796ac21242fb7b42290420cc28239b9d47a102abd92be94520389d619915ba8261e17612c15d06811963b8ae3d613cb5c

Score
10/10
formbookjac0coreentitypersistenceratrezer0spywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

jac0

Decoy

chatbot-consulting.com

alynt.info

saudiarabianwomenjobs.biz

kingtour.info

poshlacore.com

hypnosetherapist.com

tampahurricanrelief.com

qqgan16.com

tag-designco.com

viaeviastaff.com

unhosting.today

apple-request.info

whitesauce.net

627evq.info

mygolfingwarehouse.com

materiaprojects.com

rj-ipt.net

cordences.com

invescoapconference.com

supplementcult.com

Targets

    • Target

      QRFN107571083IMB.bat

    • Size

      405KB

    • MD5

      2d2db3a8698206d1e4b0928f4910de8c

    • SHA1

      eb735b973979d0a6c3dbd32638c84990c4503a37

    • SHA256

      3b7dc89103d8c49eea88bd302c37e6b9c1f1ae13bdd38c9ff9709568b9f56e3b

    • SHA512

      5e9ce4fc978df75833069dbdd0de93ef07d2141b3facbee7e69e7177c02d5fe4b7e65e348d7179997d726961905e655fa9644652bf208ff6f47c798ef4683a11

    Score
    10/10
    formbookjac0coreentityratrezer0spywarestealertrojanpersistencesuricata

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks