General

  • Target

    Scan00350.js

  • Size

    3.0MB

  • Sample

    211116-xr23ysfag2

  • MD5

    799061874d6078ee9ed3fe7a336f3f57

  • SHA1

    a2c7d54b505d3dc2407cfa43356e9d630de6a69f

  • SHA256

    8565a460a65f0e087c1e1e59d1dbeb030fb7c7aa0cf2c6d758d37fddcdb8ef14

  • SHA512

    c7d0dc37e0f1742a32e5f2c860391f533831cc675c02082927e86487337aac99a54a2fb7a34964766ca936a6726d61d0d47e6bb772003d959ccd471e4950b267

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

my7g

C2

http://www.alibabasite.com/my7g/

Decoy

pcbdscience.xyz

askselection.online

sk.supply

k4financialservices.com

dentafac.com

solutionsoutlet.net

tifournae.quest

officialjus.com

soy-salud.com

oilspe.com

treeguyphx.com

minirilla.com

receitasgostosinhas.com

ecoracing.tech

ifootballbootspro.com

inktechmedia.com

52yongle.com

golf-for-gold.com

acunbilgi.com

fagiroerde.quest

Extracted

Family

wshrat

C2

http://140.228.29.190:7121

Targets

    • Target

      Scan00350.js

    • Size

      3.0MB

    • MD5

      799061874d6078ee9ed3fe7a336f3f57

    • SHA1

      a2c7d54b505d3dc2407cfa43356e9d630de6a69f

    • SHA256

      8565a460a65f0e087c1e1e59d1dbeb030fb7c7aa0cf2c6d758d37fddcdb8ef14

    • SHA512

      c7d0dc37e0f1742a32e5f2c860391f533831cc675c02082927e86487337aac99a54a2fb7a34964766ca936a6726d61d0d47e6bb772003d959ccd471e4950b267

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Formbook Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks