General
-
Target
Remittance Information (MT-103).vbs
-
Size
80KB
-
Sample
220124-rzpjyafad6
-
MD5
d693624e3d9614a0dc9cf5a5cd1bb8ef
-
SHA1
9c50c26e8b2f9c9acfa3192385df88d3144f351c
-
SHA256
dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b
-
SHA512
b9bf3919fa3c105386ccb06da796d99c9f0100d24745a42989740bb1b22419f904a254b6c7542a10f90e2f7ba26dc887471f5de87d504644192abfcb7f364e17
Static task
static1
Behavioral task
behavioral1
Sample
Remittance Information (MT-103).vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Remittance Information (MT-103).vbs
Resource
win10-en-20211208
Malware Config
Extracted
formbook
4.1
k6sm
mingshengjewelry.com
ontimecleaningenterprise.com
alyssa0.xyz
ptecex.xyz
dukfot.online
pvcpc.com
iowalawtechnology.com
nestletranspotation.com
mysithomes.com
greenlakespaseattle.com
evofishingsystems.com
unilytcs.com
ordemt.com
dentalbatonrouge.com
pictureme360.net
chalinaslacatalana.com
newmirrorimage.xyz
pinklaceandlemonade.com
rapinantes.com
yzicpa.com
josephosman.com
robsarra.com
shumgroup.net
flooringnewhampshire.com
onceadayman.com
audiomacklaunch.xyz
hurryburry.com
golfvid.info
tutortenbobemail.com
tatlitelasorganizasyon.com
tqgtdd.space
classicalruns.com
xx3tgnf.xyz
galwayartanddesign.com
qidu.press
crypto-obmennik.com
dn360rn001.com
tridim.tech
phamhome.com
mediadollskill.com
loveatmetaverse.com
electric4x4parts.com
azulymargarita.com
isadoramel.com
rubyclean.com
officiallydanellewright.com
wu8d349s67op.xyz
detetivepyther.com
wondubniumgy463.xyz
registry-finance3.com
ultracoding.com
open-4business.com
supremelt.online
pangfeng.xyz
morneview.com
northfloridapsychic.com
kg4bppuh.xyz
friv.asia
epsilonhomecare.com
hbina.com
beachhutprinting.com
sophoscloudoptix.net
managemarksol.site
palestyna24.info
usyeslogistics.com
Targets
-
-
Target
Remittance Information (MT-103).vbs
-
Size
80KB
-
MD5
d693624e3d9614a0dc9cf5a5cd1bb8ef
-
SHA1
9c50c26e8b2f9c9acfa3192385df88d3144f351c
-
SHA256
dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b
-
SHA512
b9bf3919fa3c105386ccb06da796d99c9f0100d24745a42989740bb1b22419f904a254b6c7542a10f90e2f7ba26dc887471f5de87d504644192abfcb7f364e17
-
Formbook Payload
-
Adds policy Run key to start application
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-