General

  • Target

    Scan007.js

  • Size

    2.4MB

  • Sample

    211026-lhm2wshah4

  • MD5

    c5c9afb0a28b09453c8460d20db26159

  • SHA1

    c8ca7d5879158942102b42d57d597189a0485a27

  • SHA256

    9d90d70b8ff4f7620d8f1618718db8561dfa5d375a3c5fbb00dadbeb51f1456e

  • SHA512

    692a2bba8a4d294e2be537d93fbde8172282adc9a927470615c0756b33671fde520b06141e9f88abfb5855315c4ad56484017d15b8e7f09109d46a9abed49c28

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

my7g

C2

http://www.alibabasite.com/my7g/

Decoy

pcbdscience.xyz

askselection.online

sk.supply

k4financialservices.com

dentafac.com

solutionsoutlet.net

tifournae.quest

officialjus.com

soy-salud.com

oilspe.com

treeguyphx.com

minirilla.com

receitasgostosinhas.com

ecoracing.tech

ifootballbootspro.com

inktechmedia.com

52yongle.com

golf-for-gold.com

acunbilgi.com

fagiroerde.quest

Extracted

Family

wshrat

C2

http://137.184.6.37:7121

Targets

    • Target

      Scan007.js

    • Size

      2.4MB

    • MD5

      c5c9afb0a28b09453c8460d20db26159

    • SHA1

      c8ca7d5879158942102b42d57d597189a0485a27

    • SHA256

      9d90d70b8ff4f7620d8f1618718db8561dfa5d375a3c5fbb00dadbeb51f1456e

    • SHA512

      692a2bba8a4d294e2be537d93fbde8172282adc9a927470615c0756b33671fde520b06141e9f88abfb5855315c4ad56484017d15b8e7f09109d46a9abed49c28

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Formbook Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks