Overview

overview

10

Static

static

5dfcf6efcb...d2.exe

windows7-x64

10

5dfcf6efcb...d2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5dfcf6efcbb02b8c8f7621a5eb2ab6b9e7cb9f8eae8272e763c21847642ac3d2

  • Size

    1.0MB

  • Sample

    220731-1nfmbshfg2

  • MD5

    a2d20998ca917e55b1900c5c19c5c696

  • SHA1

    b4c5296ce6e88e435e2e6a072eaf8e35f9dcb952

  • SHA256

    5dfcf6efcbb02b8c8f7621a5eb2ab6b9e7cb9f8eae8272e763c21847642ac3d2

  • SHA512

    52f461acc91c9b67049b5259f898049b405c31504d4b5f71e59bdb8bb60784217e66f526f96386a25e9ab1e385bbb66696c9ef0f605dbc652c19f47e0729699d

Score
10/10
formbooknetwirejs3botnetratspywarestealertrojan

Malware Config

Extracted

Family

netwire

C2

dinesaad.hopto.org:8123

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

formbook

Version

3.8

Campaign

js3

Decoy

mk-autopflege.com

samanthawipulasinhe.com

hbzxcdc.com

lmcdecorating.com

e-spirit-technologies.com

dragonballgame.com

schedulerapp.info

heavenlyscentusa.com

malrohservice.com

vapmoda.com

elenasvoice.com

bogs.finance

heartworkdesigns.com

onportraits.com

clienteleventures.com

syxfzdj.com

conalider.com

zyd-touch.com

louisianetrotobas.com

zwoyi.info

Targets

    • Target

      5dfcf6efcbb02b8c8f7621a5eb2ab6b9e7cb9f8eae8272e763c21847642ac3d2

    • Size

      1.0MB

    • MD5

      a2d20998ca917e55b1900c5c19c5c696

    • SHA1

      b4c5296ce6e88e435e2e6a072eaf8e35f9dcb952

    • SHA256

      5dfcf6efcbb02b8c8f7621a5eb2ab6b9e7cb9f8eae8272e763c21847642ac3d2

    • SHA512

      52f461acc91c9b67049b5259f898049b405c31504d4b5f71e59bdb8bb60784217e66f526f96386a25e9ab1e385bbb66696c9ef0f605dbc652c19f47e0729699d

    Score
    10/10
    formbooknetwirejs3botnetratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Formbook payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks