Overview

overview

10

Static

static

Client.vbs

windows7_x64

10

Client.vbs

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Client.vbs

  • Size

    13KB

  • Sample

    210111-1xryhp5nse

  • MD5

    9ca403f0126aca99dc9a1f58b748ec09

  • SHA1

    2cdd3b9af90f1bd5c391b7cb0b2dc27b148e97a5

  • SHA256

    8cc59465e09b47aa8c0fa9f06198c9a2e8a94eec0b7bf7c7e63cf1f972f6e88a

  • SHA512

    a05eb64c8a08e83a5503cc77f3c91192c93c0c7219f68c2257ef51cb25e37a92e2c7fb2797513cf4db64ab9ae20d6269ac51a5a037bbf9119bcbf46d4b23f22b

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.usuallycurious.com/ht8/

Decoy

lancru-shitadori.xyz

mlppark-ludwigsfelde.com

perteprampram08.com

rjppacking.com

mastermeatkw.com

komalwine.com

plumaroja.com

shodimarket.com

ca15adanaomd9a905.com

fite4beauty.com

eqtyping.com

ketodietmode.com

newbesties.com

freezeaction.com

edgeworksoftskills.com

nutravivid.com

096656.com

ballallnet.com

cosmiccrimes.com

5280vodkaco.com

Targets

    • Target

      Client.vbs

    • Size

      13KB

    • MD5

      9ca403f0126aca99dc9a1f58b748ec09

    • SHA1

      2cdd3b9af90f1bd5c391b7cb0b2dc27b148e97a5

    • SHA256

      8cc59465e09b47aa8c0fa9f06198c9a2e8a94eec0b7bf7c7e63cf1f972f6e88a

    • SHA512

      a05eb64c8a08e83a5503cc77f3c91192c93c0c7219f68c2257ef51cb25e37a92e2c7fb2797513cf4db64ab9ae20d6269ac51a5a037bbf9119bcbf46d4b23f22b

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks