General

  • Target

    Bill_for_September.js.zip

  • Size

    74KB

  • Sample

    220921-1z91bacfhl

  • MD5

    3494fc2f6b4202b14ceda6405307950a

  • SHA1

    fdd2c7d1f07ff74450810910b28cdf035a9e6386

  • SHA256

    8f9470bd79fd7d046bd36e69684507151ce3120423dddb89c53574133282ef79

  • SHA512

    4f64b17720b23f96b2d84cfc7d076bc1223f5ebee2c852c9fb501a613feaf5f7a21229be912e8174a57a78bbed456210e0f444e8428e6b894e77622d25ea3634

  • SSDEEP

    1536:7ofZa7JWYz61RsUJ0sKCdNugdvcXYnJ0AYzyJ:KZKzSWT5ctcX+hWyJ

Malware Config

Extracted

Family

formbook

Campaign

te2r

Decoy

Fd9/7zupFcFsmNMDWQ==

7VlRReDWtbu4LUTd5fNe/zPDyw==

jQgurOY8oCSzrjSP+2/F1jU=

xTMzpNwUaiHAy4+Anaz1

RcLapxVS9iOZhw==

lfLSnVItJp+5ImXLvcrLFTUXRmDxTnik

vj9fMOxFLjrOtdhP1GZo0KXIQ388

/91mgBbtxFIxtQk=

4FZ0aRyH/rEdFibAy+VjQyWIUIZaHBQ=

ScHdt3/t4FIxtQk=

/M9svqdL9iOZhw==

iFX1abANxkj893bVWA==

KzjvVANMpiTBmg==

aEKKEue7E9JtmNMDWQ==

+Mdhw6992svnUbzeo5y0zSn+B2co

albc98wrE0xtKjOoOOQ=

DV6CgU6omcjeZ6bJEG/F1jU=

NH981rm1JdyUNRd1

yi0xIqrxV83bmNMDWQ==

v8l52aXp4VIxtQk=

Targets

    • Target

      Bill_for_September.js

    • Size

      117KB

    • MD5

      0d4ce6bd62a6939871782dbf6dc33905

    • SHA1

      c59f4f36d9b46b8e4c131401fa4054f50450e245

    • SHA256

      4fcdcb3039331525724bfeb0cbc97bd0893de48d4aa4ca95e282f0a8f2a1a5ab

    • SHA512

      07b7f3d7cb81a48c90f21bfdf22b0f6cb3941631ab14d05004b813f031d0c5b41538818e4b8c15b83081f48f522adce9b3e01d9f43cf3d202d142f0ea806aff1

    • SSDEEP

      1536:LfgQ2U241TiKP3/qopoIo8kQjZs1BGMLOivlSPPQh7l1GCVbabMOijrkJpQt:BVxiufpoTnBzK7cvhaoNr1t

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks