General

  • Target

    New _Inquiry P.O4622.vbs

  • Size

    77KB

  • Sample

    220121-rqp44shgb3

  • MD5

    24e935f7534a81a7fd4e32daeab208a5

  • SHA1

    251ac05ebc8c963418dccddda127d2a81b5097db

  • SHA256

    5e6d8684c3f71ca6a76d22d1ddc536f302738a3027d22a5b1ce1852c9c551d99

  • SHA512

    4bd0afc25da140efadb8f49350df7dca32c781a520c85f217d77db6602e51a7731ef955b7d412f5a3edaa0c70cffe47b9b44eda88c3378052d101a1e071f4ede

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k6sm

Decoy

mingshengjewelry.com

ontimecleaningenterprise.com

alyssa0.xyz

ptecex.xyz

dukfot.online

pvcpc.com

iowalawtechnology.com

nestletranspotation.com

mysithomes.com

greenlakespaseattle.com

evofishingsystems.com

unilytcs.com

ordemt.com

dentalbatonrouge.com

pictureme360.net

chalinaslacatalana.com

newmirrorimage.xyz

pinklaceandlemonade.com

rapinantes.com

yzicpa.com

Targets

    • Target

      New _Inquiry P.O4622.vbs

    • Size

      77KB

    • MD5

      24e935f7534a81a7fd4e32daeab208a5

    • SHA1

      251ac05ebc8c963418dccddda127d2a81b5097db

    • SHA256

      5e6d8684c3f71ca6a76d22d1ddc536f302738a3027d22a5b1ce1852c9c551d99

    • SHA512

      4bd0afc25da140efadb8f49350df7dca32c781a520c85f217d77db6602e51a7731ef955b7d412f5a3edaa0c70cffe47b9b44eda88c3378052d101a1e071f4ede

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Formbook Payload

    • Adds policy Run key to start application

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks