formbook | 0c951f58a23cd2c9bdccb727d41e33e740344af36d91419907ce016977b2a62d | Triage

Resubmissions

11-02-2024 08:10

240211-j212ragb47 10

11-02-2024 08:09

240211-j2kprseb2w 10

09-02-2024 18:28

240209-w4c4xsde9t 10

02-02-2024 12:52

240202-p4dxwsgfej 10

02-02-2024 12:45

240202-pzapnsgdbp 10

16-01-2024 15:29

240116-sw8dbaehh3 10

10-01-2024 14:41

240110-r2wq2ahchl 10

10-01-2024 13:29

240110-qrqatshbg3 10

22-12-2023 08:48

231222-kqp1sadghq 10

Sharing

General

Target

4363463463464363463463463.bin.zip
Size

4KB
Sample

240202-p4dxwsgfej
MD5

4204f7bcb4ce002240de2af9fc5f4264
SHA1

83fb5688b0cffa93b06719d0fc5b62f70af460c5
SHA256

0c951f58a23cd2c9bdccb727d41e33e740344af36d91419907ce016977b2a62d
SHA512

75a636889904293bb493957af9fecf5ad044ff44bb82c07b550473e6af45931ece7f2e72b53891a90c4045f8d816752414c560d2486f055824f069e6573bf103
SSDEEP

96:fq6yIIHV+fWsPpulzlC8luqtW5idkvRmb/DLr2OtWtvJAsO13uhy5RKd9Wj:BIHV8WN5lu4iiTD/COtSvJAF1Gy5RKdC

Score

10^/10

formbook redline stealc @oni912 jn85 evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

@oni912

C2

45.15.156.209:40481

Extracted

Family

stealc

C2

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

formbook

Version

4.1

Campaign

jn85

Decoy

106c6423c3.com

vittoriospumpherston.co.uk

furniture-best.com

employersfindme.online

colegioagustinruiz.com

fuziservice.com

differentlokal.com

azzfasst.com

kerncereus.online

johnschottllc.com

disembark-burgeoned.click

cabliviwarranty.com

justzionism.com

diplomy-ua.top

cloudadonis.com

vaalepoxies.africa

ky2088.vip

gsportal.africa

alphastrength-us.com

homerams.com

Targets

- Target
  
  4363463463464363463463463.bin
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

formbook redline stealc @oni912 jn85 evasion infostealer rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Formbook payload
  rat
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Credential Access

Discovery

Process Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

formbookredlinestealc@oni912jn85evasioninfostealerratspywarestealertrojan