General

  • Target

    266578a915ac153e5cc8f553b1a0d31fcaf763a30a1fd94d55854d46aa9fe10c

  • Size

    253KB

  • Sample

    220521-pnhadafff5

  • MD5

    4163119052ec0ac95fac54f37c1facb7

  • SHA1

    03fc797841091c14625210ee0dbf17f026049526

  • SHA256

    266578a915ac153e5cc8f553b1a0d31fcaf763a30a1fd94d55854d46aa9fe10c

  • SHA512

    58bedfc6859402c5532a3017c6dbdb6a7be8dbf778e2c31f05419e16dbb977ba00778c15cface4aea89de94c2d36c281f05d2c611d826422431a746f2794d29a

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

jac0

Decoy

chatbot-consulting.com

alynt.info

saudiarabianwomenjobs.biz

kingtour.info

poshlacore.com

hypnosetherapist.com

tampahurricanrelief.com

qqgan16.com

tag-designco.com

viaeviastaff.com

unhosting.today

apple-request.info

whitesauce.net

627evq.info

mygolfingwarehouse.com

materiaprojects.com

rj-ipt.net

cordences.com

invescoapconference.com

supplementcult.com

Targets

    • Target

      Payment Advice Ref SCB100736792577.bat

    • Size

      267KB

    • MD5

      22ca964538e0d241d32f43dd21339a71

    • SHA1

      554da18303b6f1effcd638c037a1a77181ea2fd8

    • SHA256

      f6557b3412ca78e87ff38632aaf24732b74da646678fd6ea5f01134bb498fd14

    • SHA512

      85924e1b21580b4f18f70ffd165e50e6b82e1746a7a5bb17762384df796137f39d0bb14773be9650da693e2ac5f1f3e3ac5df10c1558ac9243fd34116d521f87

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Formbook Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Adds policy Run key to start application

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks