General
-
Target
3e82cb25670dd3d5df50f74cdf12c6166ac1ef789f0405048c97c3552728d88d
-
Size
271KB
-
Sample
220521-xlhr5acab6
-
MD5
9a3776baf1ccbc92a6cae7e741ad2fa0
-
SHA1
b4ecefc4d1b2daaaeb2580dd56b2e966f0113db1
-
SHA256
3e82cb25670dd3d5df50f74cdf12c6166ac1ef789f0405048c97c3552728d88d
-
SHA512
7e7f7c7d8586420aa93c493ddf5126fb398602fe0f425cac577d249c3c64a28e07bde67fd003d2e1c6bd5d29ab08424f659b7f86c04f4e06bc1085f6930c3339
Malware Config
Extracted
formbook
4.0
lgm
somethingspecial.net
brickmachineequipment.com
asapprintingsales.com
wbmason.jobs
acu.ink
santandier.com
theboxofficemovies.com
tv16507.info
richardzacur.com
eurosevi.com
reformasydecoracionesrian.com
1x1zeroautumn.men
peipw.com
wurzburg.city
kidstoyscheap.com
star-pump.com
mimarsinanresidence.com
indoorgolfschool.com
livinitwithlou.net
cailiaowenda.com
Targets
-
-
Target
Total GP Employment Offer.exe
-
Size
310KB
-
MD5
04c8a35797fa8d2e1e3ed5f65f128d04
-
SHA1
9736f277710815dafe27857805e0c7af97adfaeb
-
SHA256
adf4b8a00eec7af49d20ac1939ca9b5c078e8d119c7e6f1b708c5e39df3acf71
-
SHA512
1e0476cde888f0bec1da340809397a1582a35e2f569b9a4ba6b397b885c3ddd481deec840f245dbcb55b1d2650afcb5716779249c4d4d934afda0ace0088a47b
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-