General

  • Target

    Remittance Information (MT-103).vbs

  • Size

    80KB

  • Sample

    220124-rzpjyafad6

  • MD5

    d693624e3d9614a0dc9cf5a5cd1bb8ef

  • SHA1

    9c50c26e8b2f9c9acfa3192385df88d3144f351c

  • SHA256

    dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b

  • SHA512

    b9bf3919fa3c105386ccb06da796d99c9f0100d24745a42989740bb1b22419f904a254b6c7542a10f90e2f7ba26dc887471f5de87d504644192abfcb7f364e17

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k6sm

Decoy

mingshengjewelry.com

ontimecleaningenterprise.com

alyssa0.xyz

ptecex.xyz

dukfot.online

pvcpc.com

iowalawtechnology.com

nestletranspotation.com

mysithomes.com

greenlakespaseattle.com

evofishingsystems.com

unilytcs.com

ordemt.com

dentalbatonrouge.com

pictureme360.net

chalinaslacatalana.com

newmirrorimage.xyz

pinklaceandlemonade.com

rapinantes.com

yzicpa.com

Targets

    • Target

      Remittance Information (MT-103).vbs

    • Size

      80KB

    • MD5

      d693624e3d9614a0dc9cf5a5cd1bb8ef

    • SHA1

      9c50c26e8b2f9c9acfa3192385df88d3144f351c

    • SHA256

      dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b

    • SHA512

      b9bf3919fa3c105386ccb06da796d99c9f0100d24745a42989740bb1b22419f904a254b6c7542a10f90e2f7ba26dc887471f5de87d504644192abfcb7f364e17

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Formbook Payload

    • Adds policy Run key to start application

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks