Request a Demo
Rewterz
Rewterz Threat Alert – Dark Crystal RAT – Active IOCs
February 2, 2022
Rewterz
Rewterz Threat Advisory – Multiple Cisco Products Vulnerabilities
February 3, 2022

Rewterz Threat Alert – FormBook Malware – Active IOCs

Severity

Medium

Analysis Summary

Since 2016, FormBook has been active as a data-stealing malware that affects 4% of enterprises in 2020. It tracks and monitors keystrokes, finds and accesses files, takes screenshots, harvests passwords from various browsers, drops files, downloads, and executes stealthier malware in response to orders from a command-and-control server (C2). The cybercriminals behind these email campaigns used a variety of distribution techniques to deliver this malware, including PDFs, Office Documents, ZIP, RAR, etc.

Impact

  • Credential Theft
  • Data Theft
  • Keystroke Logging

Indicators of Compromise

Domain Name

  • bupis44[.]info

MD5

  • 84abb4642cb383a894821636442f18b3
  • 0adcb0786872110ec551dfc11458fdb2
  • c41ec7c822cd34e297ceb9175a5789ad
  • 3b186c5245c4aeab4b0d61075335e1cc
  • 2cc4e90cd64b672a87d7a81a4eaad6ac
  • 4cc4bb21ebdb852e6d2f294cb34413fc
  • 30b3c15e69df8807b6fbfdee4370e776
  • 0379ef9a1abb13b61faddc0ad714ddb7
  • 65523cf4b441d2dbe144566c4bea5849
  • 1c62bc2349dab47f2e7f220dcf83662d
  • 2f7815be0cb6be5f1c6d8d15dc4bceeb
  • c197813d47a7c48fc55e42b46d7de621

SHA-256

  • 8da8ab7799160b2a841085ed3d908c91c45eb87a10717f088fb4a72a93a07713
  • 2e78cdf6c6b9c395801561d0d01452c34069c5584f4827e454d5ce951895c771
  • 61731a8887ca50f031dca2672ede53eb0f066a93487877cd0c79e4721528cd3c
  • a0514e98fa1285a73ff1679ad67b3520477037af3f72e10254e18c872f3b7c38
  • 13ce54d053256ed33282cc8e8a47f9a3c83f9b96f4230df70a7b947c55c611f5
  • 74d29246ce34814d9cfb6861abf061483f9eb5087181f345e68bc14a5d4287b1
  • 6f3bd69e60302214c0b2ae5d9e25625e36c2c63afe3fa39c67fd6cacdb32af6b
  • de69cf6903ef67081ae40034f5b5c571c2df2fc97606f59259dc6129fcf20c33
  • 09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92
  • 4ced8b46159c097ac24165405cf8b2343778e223a3740b1d728f4b4787035921
  • 0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
  • 96de11fc0f948fc3039f297475ba8abfcedaa7a9718634359286fe49156cd216

SHA-1

  • b5d843a5b1c1c0bc5ca9f74f05dc0c02ca651391
  • 82961b724521ea5fc8a57b14054f4fdcf9173666
  • f442384947ca9359a7b30f71eb6103bd36a9c59e
  • d6f355563f5539a7869ce2a2834eb6790f3bfddd
  • f4eabc062a31449b1fb74085aa21af6c9540b893
  • eae4f4ba9bd9fa599f9e2ac72257159a5c734e07
  • d57c4b876a995b789853e15931f54c3c035e224d
  • 683218b30872825774fcbca3b0f0b3d1f4dfce43
  • 119d9e00c6b08f5e93f477a9429c263390e4a4c2
  • 7731aeec0fa653ec07d7b9e1650129d15abd3c3c
  • c5727acc97055ef267a96ea97472626dc9ae8f2a
  • f01afa378efc31352840e98d12164343c463a549

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.