830100a3246670a17c2e0c4efe473210d9d31dc90bb3e7c1aee8a0039d63641d

General
Target

830100a3246670a17c2e0c4efe473210d9d31dc90bb3e7c1aee8a0039d63641d

Size

263KB

Sample

220521-n782rshhhr

Score
10 /10
MD5

50674b8ec7d78ac6cb23769c195413ef

SHA1

b01441c9cb97a6f46a626b5f4dd6d3642cd5e973

SHA256

830100a3246670a17c2e0c4efe473210d9d31dc90bb3e7c1aee8a0039d63641d

SHA512

44120d6a8f1954903ab7b4a56230612d68a05d14cbe30cc1b94d5ce87e5219ef8801bf0c95245d51b367c081195359e74ab9fc19b43c0793734eed93405aadf1

Malware Config

Extracted

Family netwire
C2

185.234.216.161:4017

Attributes
activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
fplGYvgE
offline_keylogger
true
password
Pa$$word
registry_autorun
false
startup_name
use_mutex
true

Extracted

Family formbook
Version 3.9
Campaign jb9
Decoy

cloud-medical.com

maximtech-bd.com

3d-sprint.com

624vhw.info

nexdesk.net

flxcustomsigns.com

gvuzejobxa.info

xiaobaokm.com

565mt.com

servicioscuery.com

500360.biz

stephanieshermanart.com

boozebird.com

merckcousa.com

frenchkissldn.com

lucyfaulknerllc.com

egekartus.com

bookyabber.com

cardiacimaginginpractice.com

deucessound.com

loveyourlimitsyoga.com

sadort.com

pegangbola.com

smxjsy.com

grpchicago.com

utahofficeforvictimsofcrime.com

msgbm.loan

thebiggestapp4upgrade.date

cveew.info

2nfy.com

qingbeirenedu.com

freedietitian.com

alexisfisio.com

daymdesign.com

codingplato.com

portatilespc.com

hzdyfy.com

hichamsabia.com

cremagoji.info

prorea.net

gppz111.com

bestlunchinbendoregon.info

goodfeli.com

halcyonessentialsdev.com

mossbaby.com

changeseffect.com

lifefocusadvisors.net

kelebektv.com

sentinelridgeatmtsi.net

rebeccawelford.com

Targets
Target

RFQ REF #208056_pdf.exe

MD5

f3b1f1b9b303a7a50481a0acd5aee6ac

Filesize

728KB

Score
10/10
SHA1

c50dd6f9de9bcb477f8fed61eb706a71ed8a7522

SHA256

0c91c97182b3f1389437d15ff6aaa935156fc5ecc1c71c5588c0d831943acf4e

SHA512

68f469f626b423d20b4103f4ea23fc875c286df57a157302144aaf15310802f5dad06d1d370b50181a5c52e68301ef74c0fab92575ea4061b7b3c0ad196365c1

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • NetWire RAT payload

    Tags

  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Description

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Tags

  • Formbook Payload

    Tags

  • Adds policy Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Deletes itself

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation