Rewterz Threat Alert – FormBook Malware

Rewterz Threat Alert – Nanocore Rat – Fresh IOCs

August 2, 2021

Rewterz Threat Alert – Donot APT Group – IOCs

August 2, 2021

Rewterz Threat Alert – FormBook Malware – Fresh IOCs

Severity

Medium

Analysis Summary

FormBook is an information-stealer malware that has been active since 2016. The info-stealer malware’s capabilities include stealing credentials, capturing screenshots of victim’s desktop, monitoring clipboard, keystroke logging, clearing browser cookies, downloading and executing files, uploading and removing bots, launching commands via ShellExecute, downloading and unpacking ZIP archive, rebooting and shutting down the system. The attackers behind these email campaigns used a variety of distribution techniques to deliver the FormBook info-stealer, including PDFs, Office Documents, ZIP, RAR, etc. Some of these files are related to quotation requests.

Impact

Credential theft
Keystroke logging
Data Theft

Indicators of Compromise

MD5

00695ebfd7afcd406ce8cb50dc42b981
6fd7f6a896112b50383e979a4209a088
1a319cb4b7cb45841cb87dbbceadf152
837eed0b0276914b55283362eb557c70
53ab34043d225c7fca168ad1a7df31a8
8730ea97b4dc74557e9e90194f74cdd5
fd30d28fcbcb1355343d594752b78772
63aa1dee9c5cb76309d30553dc4a4f0c
16362015f98c0cf0e0d6b500f0d2893d
92f15ca5167c47451b44f08c4eb0d5a4

SHA-256

779bc334a39305cff0e5d5cd202641d0878cd4eda07d35f85aecbe72ff5eff25
1cd93c07c439d16266f2276b1f38c53b57cd0de59490b6857044eda8abe78c01
6e2f5b008bdbf0b7c7c81649b7097bba3b1a6937b59c6e8eb20f1882707cfbbc
820874caef7dd09b3475fbeac4b6b7372446b6b5eee1583aa7eef9610e27b9f8
657bd12172568c696ae02af0948808a0f9ab30d77ed199abd0f3bdf08f5d0513
0c6823e63b28799c28145805bc2c143c67a52698e4af497070b9da8439d6b327
d00f87049fb2c7cbbf506ca2361e8295fe06926f17e1d2c16cfe3e88a2902f5a
93a6cb87273a83d5d43cc42d6c559eb812019ebb5176892c78cd260c550f59dd
3c78a8163632246f074a36ed8b6f1717aceb0ba55dcc5c5329ddb16d9cfd5755
4c1b38391ab198fb0e2c7050a8951e65efbc818991fb710f6deeb2c76a54c734

SHA-1

fe4c889499f5faa0d667705e24364450a0d966d9
2f68f67755d338156e8957949ac71380316bc221
aea2e1d33ec6df43b8bdceb9944ec7b788812ab2
c0810062703156f195c52ca3b516813cb3ccaee7
d65e76d0c79ac6270d3136af438bc36a69c7efc2
e4ea26950d948f050b5b112c2e70bd8c8ffba8b7
33cb0811591d84b68ce5cb07e1050e4dea0ce6cf
1636ba21ed87bfe916334bce77c5daafa6ee8bbc
e96c59a0f65a5df687a1bc261a22713e09b471fe
aaa650fdf71978a3143a5a8c85a57a5518c6c8e1

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.