General
-
Target
Scan0035.js
-
Size
2.4MB
-
Sample
220112-llgz2scbcr
-
MD5
ac9a3bee8f4924bd01db6699e0e30346
-
SHA1
6b1ad646c44c704e2771a164884cf977e2657276
-
SHA256
71bf42ba5f838c2e58ac0f55045ec263e4fd7b1ef977c780aa01a248e2df18ab
-
SHA512
eb7b70387de6e6dfaf96a969d6c12a6666d1fc8cf3c7c1131c9fdc1f8f52d7b0162c59e9e9e454135fef9f66fd34682122f6e158a3e6b49d1484c7105b90388e
Static task
static1
Behavioral task
behavioral1
Sample
Scan0035.js
Resource
win7-en-20211208
Malware Config
Extracted
formbook
4.1
my7g
pcbdscience.xyz
askselection.online
sk.supply
k4financialservices.com
dentafac.com
solutionsoutlet.net
tifournae.quest
officialjus.com
soy-salud.com
oilspe.com
treeguyphx.com
minirilla.com
receitasgostosinhas.com
ecoracing.tech
ifootballbootspro.com
inktechmedia.com
52yongle.com
golf-for-gold.com
acunbilgi.com
fagiroerde.quest
thebodyrack.com
candycaneshoes.com
nuanceinterpretation.com
capsulas-natural.com
tourpos.site
thundivillage.com
behfiliilliill.xyz
myaceviement.com
sitajour.com
muabanquabieu.com
wrkrg.info
a1-a2-ehliyet.xyz
fabricadesoftwares.com
nayainformatics.com
meiouya8.com
allestalub.xyz
imageuploadpro.com
queenb.media
unixem.xyz
metaverselayer.com
sonnuoccamau.com
alleinerziehend.love
fifsee.com
ironguardconsulting.info
tesladrops.space
opticsofsharedspaces.com
kk88126.com
arizonaarmcar.com
meredithandlance.com
scotipatria.com
5gb1.com
kozacms.com
client-info.online
qube.site
jesand.com
noviembreproject.com
dekolijubu.rest
businessinindonesia.com
cdkyhxaa.top
cafedetime.com
whosaidwhatwhere.com
paula-salon.com
superfoodgreece.com
sherosmag.com
alibabasite.com
Extracted
wshrat
http://172.245.40.82:7121
Targets
-
-
Target
Scan0035.js
-
Size
2.4MB
-
MD5
ac9a3bee8f4924bd01db6699e0e30346
-
SHA1
6b1ad646c44c704e2771a164884cf977e2657276
-
SHA256
71bf42ba5f838c2e58ac0f55045ec263e4fd7b1ef977c780aa01a248e2df18ab
-
SHA512
eb7b70387de6e6dfaf96a969d6c12a6666d1fc8cf3c7c1131c9fdc1f8f52d7b0162c59e9e9e454135fef9f66fd34682122f6e158a3e6b49d1484c7105b90388e
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Formbook Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-