Overview

overview

10

Static

static

PROCUREMENT_001.js

windows7_x64

10

PROCUREMENT_001.js

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PROCUREMENT_001.js

  • Size

    396KB

  • Sample

    220620-h8ydrscff4

  • MD5

    ead2e4417e0ba32a086cbd96ffde7ce5

  • SHA1

    0f47a3ec2a02054f1d54815544feaac77fb32793

  • SHA256

    cbc74da583fc123ca5783a7c977f382af7a71a227888d95a9b8203bd0a2adf62

  • SHA512

    e26c09f7e4318f62cc1e0f4f84e77cf28e6a3d68a0dfb20f84e8b849bc65bf06a4aca46c446c7ae7ea831b9ff047aa32fe6bb82b946e149d68bfa3df3f0efae4

Score
10/10
formbookvjw0rmxloaderr4wfloaderpersistenceratspywarestealersuricatatrojanworm

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

r4wf

Decoy

eQLhwti8E4CX1m8bp0WK2Q==

axoAyf6nwR9Y43o1nFx+930=

vf9fMlHrgdcI

TRQU8PPgFWegAcLFsjQ5TUX2

CFXUiz7SjsLqcQ==

XKeIL6Nmg+8pokY+wjaooasXRQIt

NLSkgIdanO/4SNPAdlKUrIms7Q==

TTKhgqyuCnCmH7yGa12g8HXrnY/nKGI=

5X0d70pNfaYGRgI=

fXXOk9C1+U9bhkIBIqn8

dN7HmMiv/TtAgyP2tYrEG2Yq4Yw=

HRqUgbJeorn4Zg==

MZ7Sh6xm71vhCNLW

7iFsO188fKYGRgI=

o9VC9kgPVXmCz2gBIqn8

B0y+iMbD+lzhCNLW

ciUeBS0WbdHuVGH+xJU=

Q3334PeyxydNmzoBIqn8

kgHx3RbrgdcI

WQjgo8h9g6YGRgI=

Extracted

Family

vjw0rm

C2

http://franmhort.duia.ro:8152

Targets

    • Target

      PROCUREMENT_001.js

    • Size

      396KB

    • MD5

      ead2e4417e0ba32a086cbd96ffde7ce5

    • SHA1

      0f47a3ec2a02054f1d54815544feaac77fb32793

    • SHA256

      cbc74da583fc123ca5783a7c977f382af7a71a227888d95a9b8203bd0a2adf62

    • SHA512

      e26c09f7e4318f62cc1e0f4f84e77cf28e6a3d68a0dfb20f84e8b849bc65bf06a4aca46c446c7ae7ea831b9ff047aa32fe6bb82b946e149d68bfa3df3f0efae4

    Score
    10/10
    vjw0rmxloaderr4wfloaderpersistenceratsuricatatrojanwormformbookspywarestealer

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks