Overview

overview

10

Static

static

10

RFQ REF #2...df.exe

windows7_x64

10

RFQ REF #2...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    830100a3246670a17c2e0c4efe473210d9d31dc90bb3e7c1aee8a0039d63641d

  • Size

    263KB

  • Sample

    220521-n782rshhhr

  • MD5

    50674b8ec7d78ac6cb23769c195413ef

  • SHA1

    b01441c9cb97a6f46a626b5f4dd6d3642cd5e973

  • SHA256

    830100a3246670a17c2e0c4efe473210d9d31dc90bb3e7c1aee8a0039d63641d

  • SHA512

    44120d6a8f1954903ab7b4a56230612d68a05d14cbe30cc1b94d5ce87e5219ef8801bf0c95245d51b367c081195359e74ab9fc19b43c0793734eed93405aadf1

Score
10/10
formbooknetwirejb9botnetpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

netwire

C2

185.234.216.161:4017

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    fplGYvgE

  • offline_keylogger

    true

  • password

    Pa$$word

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Extracted

Family

formbook

Version

3.9

Campaign

jb9

Decoy

cloud-medical.com

maximtech-bd.com

3d-sprint.com

624vhw.info

nexdesk.net

flxcustomsigns.com

gvuzejobxa.info

xiaobaokm.com

565mt.com

servicioscuery.com

500360.biz

stephanieshermanart.com

boozebird.com

merckcousa.com

frenchkissldn.com

lucyfaulknerllc.com

egekartus.com

bookyabber.com

cardiacimaginginpractice.com

deucessound.com

Targets

    • Target

      RFQ REF #208056_pdf.exe

    • Size

      728KB

    • MD5

      f3b1f1b9b303a7a50481a0acd5aee6ac

    • SHA1

      c50dd6f9de9bcb477f8fed61eb706a71ed8a7522

    • SHA256

      0c91c97182b3f1389437d15ff6aaa935156fc5ecc1c71c5588c0d831943acf4e

    • SHA512

      68f469f626b423d20b4103f4ea23fc875c286df57a157302144aaf15310802f5dad06d1d370b50181a5c52e68301ef74c0fab92575ea4061b7b3c0ad196365c1

    Score
    10/10
    formbooknetwirejb9botnetpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks