formbook | 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2 | Triage

Submit
Reports

Overview

overview

Static

static

5

602c739be9...a2.exe

windows7-x64

602c739be9...a2.exe

windows10-2004-x64

Sharing

General

Target

602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2
Size

1.4MB
Sample

220731-g4r6hsddcl
MD5

77f0f467f4dd24a29e61427720c0ca1e
SHA1

7877047c7ac9bf91a13a7c5d6eae70460f3d3d5b
SHA256

602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2
SHA512

078e4904880602085ac61e016c5bc3a8fd4081b4b46f8d15fa594211b9224324e21765e58706c86b2bfbc21cda2d85220fd8b53ebc38bb4f46f5545ee8d6e5d8

Score

10^/10

formbook netwire ch botnet persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe

Resource

win7-20220715-en

formbook netwire ch botnet persistence rat spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe

Resource

win10v2004-20220721-en

formbook netwire ch botnet persistence rat spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

185.125.205.84:6394

Attributes

activex_autorun
true
activex_key
{A21KRE7N-163G-58R1-55FA-N5EO6T322124}
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

formbook

Version

3.9

Campaign

ch

Decoy

sfbayfoodie.com

tridonics.com

got-stuff.com

vvk2.com

legacytrailsurgery.com

lintec-europeuk.com

pqbs4all.online

tensionon.com

5pkmko5-ddz.com

anuvallie.com

chornatastudio.com

hydroponic.today

soluinformatic.com

senero.info

pdblm.com

zumarecordings.com

vfun.ltd

hanyiwaimai.com

sourcingdog.com

hntgwl.com

katzenpension-happycat.com

mellovr.com

mybabyrompers.com

randolphinsnc.com

wemuggle.com

asalusul.online

myfireatl.com

hskclub.com

sherry5.com

ukpropertyessentials.com

bionanox.com

wnrjqq.info

uploadmetothe.cloud

aplusmathematicstution.com

lookez-nous.com

districtnewsbeat.com

media-think.com

arquitecturacoherente.com

wobe.ltd

philips-futurelab.com

iaminvisiblebeauty.com

businessfinancialaid.com

facehack.tech

eurodak.com

dvubfs.men

vrbitman.com

gwia.business

thenumberfactory.com

verify-sms-id.com

fortun8.enterprises

relydorn.net

metanewpower.com

wyn.vin

61666hb.com

cybertronichosting.com

26999dd.com

lefraje.com

8v9c.com

softwarevest.com

daotaonghethammythequeen.com

andreas-theurer.info

metodobrains.net

softonlab.com

terminalstream.com

wireboz.com

Targets

- Target
  
  602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2
- Size
  
  1.4MB
- MD5
  
  77f0f467f4dd24a29e61427720c0ca1e
- SHA1
  
  7877047c7ac9bf91a13a7c5d6eae70460f3d3d5b
- SHA256
  
  602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2
- SHA512
  
  078e4904880602085ac61e016c5bc3a8fd4081b4b46f8d15fa594211b9224324e21765e58706c86b2bfbc21cda2d85220fd8b53ebc38bb4f46f5545ee8d6e5d8
Score

10^/10

formbook netwire ch botnet persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbooknetwirechbotnetpersistenceratspywarestealertrojan

behavioral2

formbooknetwirechbotnetpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy