formbook | 0025dd0c81142c4d22f609d32059709406269193830fdfc76d0530d98062c6c3 | Triage

Submit
Reports

Overview

overview

Static

static

PO KH-TECH.exe

windows7_x64

PO KH-TECH.exe

windows10-2004_x64

Sharing

General

Target

0025dd0c81142c4d22f609d32059709406269193830fdfc76d0530d98062c6c3
Size

314KB
Sample

220521-xlvfxscad6
MD5

122ce70f3193477ac2533c56f09a1012
SHA1

6d4bbed8a6475c6fe26ef094b96dc3b13900d342
SHA256

0025dd0c81142c4d22f609d32059709406269193830fdfc76d0530d98062c6c3
SHA512

7337b4e83af67869335bf0ea2884a304f631db96707e36f3a30aa7509c8b9bc95ee8ce89f8912d0c796aa6d5faed654730ab2dfa81a408ed6341f6d9c0dfada4

Score

10^/10

formbook q5e coreentity persistence rat rezer0 spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO KH-TECH.exe

Resource

win7-20220414-en

formbook q5e coreentity persistence rat rezer0 spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO KH-TECH.exe

Resource

win10v2004-20220414-en

formbook q5e persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

giftstgg.com

imonsanto.com

invoicefor.com

qfhxlw.com

wsykyy.com

gladius.network

peliculaslatino.online

timookflour.com

gxkuangjian.com

utvklj.men

rabota-v-avon.online

sheashealingway.com

thoitrangaoda.com

rytechweb.com

circuit69.com

crowd-design.biz

carosiandrhee.com

778d88.com

calvinkl.com

cjkit.com

jgkwhgxe.com

sanitascuadromedico.com

mellorangello.com

whiteinnocence.com

medtechdesignstudio.net

nurturingskin.com

guardyourweb.net

juw2017.com

jnheroes.com

damicosoftwaresystems.com

gesband.com

onwardsandupwards.info

gopropackaging.com

centerforaunts.com

sarrahshewdesign.com

intelligentcoach.net

iasisf.agency

products-news.com

calvinspring.com

100zan.site

9mahina.com

saleaustralianboots.com

floatinginfotech.com

calcinoneweek.com

yofdyk.com

Targets

- Target
  
  PO KH-TECH.exe
- Size
  
  400KB
- MD5
  
  cec3c5e9ed6457abf83f3650bab34a0d
- SHA1
  
  ca81643244ea28e9824d21fc1c779f53679a76dd
- SHA256
  
  66812d316b85e20248c4af1f141a372ec1e434d951f7c6fc51402ab23da87845
- SHA512
  
  dd02eb4c30720d40383e78e76c912e2689c4dead68a89b113086574d871a21bc73129f21d8ca0b5a00aecd658d69456262af727ccbdbab931a1cf47e1870ac5a
Score

10^/10

formbook q5e coreentity persistence rat rezer0 spyware stealer suricata trojan
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookq5ecoreentitypersistenceratrezer0spywarestealersuricatatrojan

behavioral2

formbookq5epersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy