Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Severity
Medium
Analysis Summary
A malicious Microsoft Word document has been reported that contains a link to harvest the victim’s personal email accounts login credentials.
A Rich Text Formatted (RTF) file was reported that contains six Microsoft Excel worksheets with embedded Visual Basic (VB) scripts. The scripts invoke PowerShell to download a payload on to the system.
Another file containing a 32-bit Windows .NET executable was reported. The file is designed to install a malicious 32- bit Windows executable. The executable is the payload identified as a variant of the FormBook malware. During analysis, the malicious executable injected itself into a list of Windows processes and collected victim’s data including: user keystrokes, clipboard data, screenshots, web browser passwords, and other applications.
Impact
Credential Theft
System Access
Information Disclosure
Malware Infection
Indicators of Compromise
IP(s) / Hostname(s) | 178.159.36[.]107 107.187.95[.]198 192.64.115[.]93 203.170.80[.]250 206.188.192[.]179 81.27.85[.]17 94.136.40[.]51 |
URLs | igyygyigus[.]com weddingofmyday[.]info 41230935[.]net becoolpickuptruckhub[.]live bonzaj[.]com brysoldstop[.]win corito78[.]party dailylondonfashion[.]com e-pennys[.]com jyoumon-farm[.]com lanpaizhilian[.]com mesayang[.]com pcshooot[.]win queensofthescene[.]com spainbythesea[.]uk t70ia[.]info topcars[.]guru zhuangshi[.]ink |
Filename | ProformAdviseMarch19.doc Oswald Crescent-converted.docx Payment_TT_Copy-pdf.exe bin.exe |
Email Address | Rena_564[@]hotmail[.]com |
Malware Hash (MD5/SHA1/SH256) | 4aa1bb25d9858452194548825836db66 3fea120d39b1f0b63dc6a73d0ee2d197169fc765dd5b1eafc5658c6799d4b00f 854a864b0b0465c352a24ba09ec3b4c0f24684e9c4ad4f8900f605e4705cf74e 9fdc3857779c18f9802b39d7f3caf90b 4fcaff67dd797d6bc76d9a1202838542bf88789a7ef6e4ac5ec0ca5f1a5301e1 e6aa24cabafb1f66e2e874a1722acd13 d6646857d68f0fe855887571c65f3ae3d89e74a59ea3f77bf576943103a84eb0 e1c2d815112ade0e7ad765485f72b337 |
Remediation