General

  • Target

    thtqtg.z

  • Size

    243KB

  • Sample

    220916-przzlabeck

  • MD5

    85472d2cf09f107023d5ee19e2555513

  • SHA1

    ac19a580b509fdc5780b1888059ebcbb0bc3e541

  • SHA256

    8be898c1eda1bf171b3de470b284cd60bd8f1d2ffa879339cbc7e044e26ee5d7

  • SHA512

    a2e24c1df413d05aff297675059a1988f9bafd44cefbc00d2658d67b66677290a68970d74b457db53dbcd85f30a50b9c1743ccf77fd56a0357981599c01bca07

  • SSDEEP

    6144:hedxmqM+14R4GHaOtkq8oCA/57/aOdDjdqTaNE7EVTaYc:heH8OtARraEDjd2RW/c

Malware Config

Extracted

Family

formbook

Campaign

q4k5

Decoy

jQYgo8tIgmIc0mvpRb5x

WvKdh53xC7N4gDV7C595

3NZvdu4YVUEvB7v2l0Tm0SVv

/VRXhfIvRiNV3GOoZZPqieXuTd/oHzo=

iVrRnM8RfE8pow==

p7pocu0vag2HQeAi1Q==

jE3wz8cIIck7DaIRQns7/WM=

idYEkVhfx4USLm44

xQpoZwWMqZQZ0b+uff0=

1u0SiknP4Ls7GLQCxkszuinYzQ==

AVuV9lyovZ0am5kw6fg=

KicecBSZtmieUd7hkUDm0SVv

pMHRHY3n/dVlLQxECMx3

dE8S684NNa9pRNo=

2WKRICBuhDoNkuozMWGBGWPpliRqjw==

UnIpN/4ONxpFwu04CF57Ew==

lzTU5CR1jj6os+3Myg==

WR8IgU/HRPwvtA==

eACJW4jpYgiATdg=

BRYZUYK51HygS5kw6fg=

Targets

    • Target

      Confirmation transfer MT103_pdf.js

    • Size

      353KB

    • MD5

      3e4abaeae68b400b3bb636286f0aafa7

    • SHA1

      46aeb3dada4871e84cb7eeed98e9e94e10ceab3b

    • SHA256

      34de6de1c42174a1529b1e2920c51b1efa300fff48902e5a8a3836817e12c25b

    • SHA512

      28e6ef967408193b99d4ce4faa8f15fb334ffbe178156d4ba2e7f7849b57a6fe5d82c34bce7e8ea56997a076931d36792793948f6ccbeef1f97f82616996a959

    • SSDEEP

      6144:tC5Lz6L8qNMaXlcWa+syZ3hL0sG6ZPmY4JGrx01gqyvCKaT80S2gGxC:tCtHa1cvVihL7GUSGKgzaRY0S2JxC

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks