Overview

overview

10

Static

static

Draft_ship...nt.vbs

windows7_x64

10

Draft_ship...nt.vbs

windows10-2004_x64

10

Resubmissions

14-03-2022 14:03

220314-rcpanagcb9 10

14-03-2022 07:19

220314-h5h5nsfgaj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Draft_shipping_document.lzh

  • Size

    98KB

  • Sample

    220314-h5h5nsfgaj

  • MD5

    06d7ac6f214b0343962ace85e1c40e88

  • SHA1

    d022031b3b4b25d9a9587483de0a75089708a206

  • SHA256

    27b950f8b84e372d1b9d0fd7b918cb633eaa2556ef47c63baf0b916f04f5bffd

  • SHA512

    4fcb6de9a5f005d7081873c4b47deed11162523c844175361efce57132224c3a662df7c21b0973bce5e69cc8659c821b275ec5d723949f75c1dfedd123a24e7c

Score
10/10
formbookguloaderk6smdownloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k6sm

Decoy

mingshengjewelry.com

ontimecleaningenterprise.com

alyssa0.xyz

ptecex.xyz

dukfot.online

pvcpc.com

iowalawtechnology.com

nestletranspotation.com

mysithomes.com

greenlakespaseattle.com

evofishingsystems.com

unilytcs.com

ordemt.com

dentalbatonrouge.com

pictureme360.net

chalinaslacatalana.com

newmirrorimage.xyz

pinklaceandlemonade.com

rapinantes.com

yzicpa.com

Targets

    • Target

      Draft_shipping_document.vbs

    • Size

      805KB

    • MD5

      3d283fd545af947a47e6953d6335b98a

    • SHA1

      331b837d008efc12c0702b290c747581583169fd

    • SHA256

      280925849cd341c089c250b6609a0cab91026578f98bc2c45cb924dc9c8967a5

    • SHA512

      c954754254c31cf881bb96efc601b683ae9ba75a90054626186ac9392958bc5cb3bdc3b1348df3885f998002c0a3c523fd744b29bc149b9894bb04d480bf602c

    Score
    10/10
    guloaderdownloaderformbookk6smpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks