General

  • Target

    Scan0035.js

  • Size

    2.4MB

  • Sample

    220112-llgz2scbcr

  • MD5

    ac9a3bee8f4924bd01db6699e0e30346

  • SHA1

    6b1ad646c44c704e2771a164884cf977e2657276

  • SHA256

    71bf42ba5f838c2e58ac0f55045ec263e4fd7b1ef977c780aa01a248e2df18ab

  • SHA512

    eb7b70387de6e6dfaf96a969d6c12a6666d1fc8cf3c7c1131c9fdc1f8f52d7b0162c59e9e9e454135fef9f66fd34682122f6e158a3e6b49d1484c7105b90388e

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

my7g

Decoy

pcbdscience.xyz

askselection.online

sk.supply

k4financialservices.com

dentafac.com

solutionsoutlet.net

tifournae.quest

officialjus.com

soy-salud.com

oilspe.com

treeguyphx.com

minirilla.com

receitasgostosinhas.com

ecoracing.tech

ifootballbootspro.com

inktechmedia.com

52yongle.com

golf-for-gold.com

acunbilgi.com

fagiroerde.quest

Extracted

Family

wshrat

C2

http://172.245.40.82:7121

Targets

    • Target

      Scan0035.js

    • Size

      2.4MB

    • MD5

      ac9a3bee8f4924bd01db6699e0e30346

    • SHA1

      6b1ad646c44c704e2771a164884cf977e2657276

    • SHA256

      71bf42ba5f838c2e58ac0f55045ec263e4fd7b1ef977c780aa01a248e2df18ab

    • SHA512

      eb7b70387de6e6dfaf96a969d6c12a6666d1fc8cf3c7c1131c9fdc1f8f52d7b0162c59e9e9e454135fef9f66fd34682122f6e158a3e6b49d1484c7105b90388e

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE WSHRAT CnC Checkin

      suricata: ET MALWARE WSHRAT CnC Checkin

    • suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

      suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

      suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    • Formbook Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks