Overview

overview

10

Static

static

Wire-84844...DF.vbs

windows7_x64

10

Wire-84844...DF.vbs

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Wire-84844663637346665.PDF.vbs

  • Size

    75KB

  • Sample

    220121-rqp44saadl

  • MD5

    2eb1625e8d4e3f9b19ab947d188d0be8

  • SHA1

    7aad4e8d8f521d1c36a7468418047c8a5751b7e9

  • SHA256

    354529cf4cd5498c64a0c69c6dd9eb8962250542eea7f89a76faf64f5086da35

  • SHA512

    7e2f8553d3375d1cfe0132a3abe854a1457f08c1f3c6bfbe730c044fec1a127f3a9405c59b1f620f91ea76b7eb7d68fce78058b68f4a69437d2e08b0879ad517

Score
10/10
formbookguloaderty13downloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ty13

Decoy

renatocarrion.com

inadmaa.email

dgsgamer.com

scentsofhome.com

vimeghbrandshop.online

seaxneat.com

10448se147thave.com

msewy.xyz

greekgolden.com

thinktosolve.com

darmadao.com

patriotproperties.info

erwsed.tech

iamanocelot.com

marketinginspiration4.biz

googleprog.com

nz34.com

xu6cotckdwbd.xyz

jimmychenchen.com

kntfashionstore.online

Targets

    • Target

      Wire-84844663637346665.PDF.vbs

    • Size

      75KB

    • MD5

      2eb1625e8d4e3f9b19ab947d188d0be8

    • SHA1

      7aad4e8d8f521d1c36a7468418047c8a5751b7e9

    • SHA256

      354529cf4cd5498c64a0c69c6dd9eb8962250542eea7f89a76faf64f5086da35

    • SHA512

      7e2f8553d3375d1cfe0132a3abe854a1457f08c1f3c6bfbe730c044fec1a127f3a9405c59b1f620f91ea76b7eb7d68fce78058b68f4a69437d2e08b0879ad517

    Score
    10/10
    formbookguloaderty13downloaderpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks