0025dd0c81142c4d22f609d32059709406269193830fdfc76d0530d98062c6c3

Target

Size

314KB

Sample

220521-xlvfxscad6

Score

10 ^/10

MD5

122ce70f3193477ac2533c56f09a1012

SHA1

6d4bbed8a6475c6fe26ef094b96dc3b13900d342

SHA256

0025dd0c81142c4d22f609d32059709406269193830fdfc76d0530d98062c6c3

SHA512

7337b4e83af67869335bf0ea2884a304f631db96707e36f3a30aa7509c8b9bc95ee8ce89f8912d0c796aa6d5faed654730ab2dfa81a408ed6341f6d9c0dfada4

Extracted

Family	formbook
Version	4.1
Campaign	q5e
Decoy	2177.ltd thanxiety.com max-width.com fixti.net mostmaj.com mobilteknolojiuzmani.com historyannals.com wheelchairmotion.com mossandmoonstonestudio.com kastellifournis.com axokey.net peekl.com metsteeshirt.com abcfinancial-inc.com btxrsp.com amydh.com ccoauthority.com lumacorretora.com kimfelixrealtor.com iconext.biz giftstgg.com imonsanto.com invoicefor.com qfhxlw.com wsykyy.com gladius.network peliculaslatino.online timookflour.com gxkuangjian.com utvklj.men rabota-v-avon.online sheashealingway.com thoitrangaoda.com rytechweb.com circuit69.com crowd-design.biz carosiandrhee.com 778d88.com calvinkl.com cjkit.com jgkwhgxe.com sanitascuadromedico.com mellorangello.com whiteinnocence.com medtechdesignstudio.net nurturingskin.com guardyourweb.net juw2017.com jnheroes.com damicosoftwaresystems.com gesband.com onwardsandupwards.info gopropackaging.com centerforaunts.com sarrahshewdesign.com intelligentcoach.net iasisf.agency products-news.com calvinspring.com 100zan.site 9mahina.com saleaustralianboots.com floatinginfotech.com calcinoneweek.com yofdyk.com 2177.ltd thanxiety.com max-width.com fixti.net mostmaj.com mobilteknolojiuzmani.com historyannals.com wheelchairmotion.com mossandmoonstonestudio.com kastellifournis.com axokey.net peekl.com metsteeshirt.com abcfinancial-inc.com btxrsp.com amydh.com ccoauthority.com lumacorretora.com kimfelixrealtor.com iconext.biz giftstgg.com imonsanto.com invoicefor.com qfhxlw.com wsykyy.com gladius.network peliculaslatino.online timookflour.com gxkuangjian.com utvklj.men rabota-v-avon.online sheashealingway.com thoitrangaoda.com rytechweb.com circuit69.com crowd-design.biz carosiandrhee.com 778d88.com calvinkl.com cjkit.com jgkwhgxe.com sanitascuadromedico.com mellorangello.com whiteinnocence.com medtechdesignstudio.net nurturingskin.com guardyourweb.net juw2017.com jnheroes.com damicosoftwaresystems.com gesband.com onwardsandupwards.info gopropackaging.com centerforaunts.com sarrahshewdesign.com intelligentcoach.net iasisf.agency products-news.com calvinspring.com 100zan.site 9mahina.com saleaustralianboots.com floatinginfotech.com calcinoneweek.com yofdyk.com

Target

PO KH-TECH.exe

MD5

cec3c5e9ed6457abf83f3650bab34a0d

Filesize

400KB

Score

10^/10

SHA1

ca81643244ea28e9824d21fc1c779f53679a76dd

SHA256

66812d316b85e20248c4af1f141a372ec1e434d951f7c6fc51402ab23da87845

SHA512

dd02eb4c30720d40383e78e76c912e2689c4dead68a89b113086574d871a21bc73129f21d8ca0b5a00aecd658d69456262af727ccbdbab931a1cf47e1870ac5a

Signatures

CoreEntity .NET Packer
Description

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Tags

coreentity
Formbook
Description

Formbook is a data stealing malware which is capable of stealing data.
Tags

trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Description

suricata: ET MALWARE FormBook CnC Checkin (GET)
Tags

suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Description

suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Tags

suricata
Formbook Payload
Tags

rat
ReZer0 packer
Description

Detects ReZer0, a packer with multiple versions used in various campaigns.
Tags

rezer0
Deletes itself
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Command-Line Interface

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

static1

behavioral1

formbook q5e coreentity persistence rat rezer0 spyware stealer suricata trojan

10^/10

behavioral2

formbook q5e persistence rat spyware stealer suricata trojan

10^/10

Extracted

Tags

Signatures

CoreEntity .NET Packer

Description

Tags

Formbook

Description

Tags

suricata: ET MALWARE FormBook CnC Checkin (GET)

Description

Tags

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Description

Tags

Formbook Payload

Tags

ReZer0 packer

Description

Tags

Deletes itself

Reads user/profile data of web browsers

Description

Tags

TTPs

Adds Run key to start application

Tags

TTPs

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2