formbook

General

Target

a.bin
Size

5KB
Sample

230516-wqjpjsba9v
MD5

69525fa93fd47eb3c533afe3b1baba48
SHA1

3dea1b337987177c73c64e89b370d90dc94c64cb
SHA256

8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9
SHA512

909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182
SSDEEP

48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt

Malware Config

Extracted

Family

redline

Botnet

PERSOM

C2

176.124.219.192:14487

Attributes

auth_value
0695a610af712a57529526101d7e83b2

Extracted

Family

quasar

Version

1.4.0

Botnet

X

C2

45.141.27.208:4780

127.0.0.1:4780

Mutex

d6e77ea9-bff7-4566-b4dd-f1be3c293c5e

Attributes

encryption_key
57F667877C1FCDA6663E2FDAC6FB8CFDE3CEA957
install_name
winx.exe
log_directory
Logs
reconnect_delay
3000
startup_key
winx
subdirectory
sys

Extracted

Family

lokibot

C2

http://171.22.30.164/mancho/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

redline

Botnet

001

C2

185.161.248.172:26464

Attributes

auth_value
74f84f676351018a32a2307c4196a45c

Extracted

Family

formbook

Version

4.1

Campaign

e8fg

Decoy

rmaex.xyz

thegreenambition.com

ifmcustomerevents.com

agencewebimage.com

w0a00dbe.buzz

shopbequynhff.com

webpetarung.online

girlgonecyber.com

lexoutwest.com

gramshilpartandcraft.com

kemeioficial.com

track-race-package.com

shop-domanopro.com

bohanshow.com

ateliermedispa.com

paragonhonda-ny.com

calzadosnova.com

thephoenixoneproject.com

pl66380.com

nightowlmarketinggroup.com

Targets

- Target
  
  a.bin
- Size
  
  5KB
- MD5
  
  69525fa93fd47eb3c533afe3b1baba48
- SHA1
  
  3dea1b337987177c73c64e89b370d90dc94c64cb
- SHA256
  
  8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9
- SHA512
  
  909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182
- SSDEEP
  
  48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt
Score

10^/10

formbook lgoogloader lokibot quasar redline smokeloader 001 persom x e8fg backdoor downloader evasion infostealer persistence rat spyware stealer trojan upx vmprotect
- Detects LgoogLoader payload
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- LgoogLoader
  A downloader capable of dropping and executing other malware families.
  downloader lgoogloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Formbook payload
  rat
- Downloads MZ/PE file
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1