0025dd0c81142c4d22f609d32059709406269193830fdfc76d0530d98062c6c3

General
Target

0025dd0c81142c4d22f609d32059709406269193830fdfc76d0530d98062c6c3

Size

314KB

Sample

220521-xlvfxscad6

Score
10 /10
MD5

122ce70f3193477ac2533c56f09a1012

SHA1

6d4bbed8a6475c6fe26ef094b96dc3b13900d342

SHA256

0025dd0c81142c4d22f609d32059709406269193830fdfc76d0530d98062c6c3

SHA512

7337b4e83af67869335bf0ea2884a304f631db96707e36f3a30aa7509c8b9bc95ee8ce89f8912d0c796aa6d5faed654730ab2dfa81a408ed6341f6d9c0dfada4

Malware Config

Extracted

Family formbook
Version 4.1
Campaign q5e
Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

giftstgg.com

imonsanto.com

invoicefor.com

qfhxlw.com

wsykyy.com

gladius.network

peliculaslatino.online

timookflour.com

gxkuangjian.com

utvklj.men

rabota-v-avon.online

sheashealingway.com

thoitrangaoda.com

rytechweb.com

circuit69.com

crowd-design.biz

carosiandrhee.com

778d88.com

calvinkl.com

cjkit.com

jgkwhgxe.com

sanitascuadromedico.com

mellorangello.com

whiteinnocence.com

medtechdesignstudio.net

nurturingskin.com

guardyourweb.net

juw2017.com

jnheroes.com

damicosoftwaresystems.com

Targets
Target

PO KH-TECH.exe

MD5

cec3c5e9ed6457abf83f3650bab34a0d

Filesize

400KB

Score
10/10
SHA1

ca81643244ea28e9824d21fc1c779f53679a76dd

SHA256

66812d316b85e20248c4af1f141a372ec1e434d951f7c6fc51402ab23da87845

SHA512

dd02eb4c30720d40383e78e76c912e2689c4dead68a89b113086574d871a21bc73129f21d8ca0b5a00aecd658d69456262af727ccbdbab931a1cf47e1870ac5a

Tags

Signatures

  • CoreEntity .NET Packer

    Description

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    Tags

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Description

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Tags

  • Formbook Payload

    Tags

  • ReZer0 packer

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Privilege Escalation