formbook

General

Target

8067596131.zip
Size

18KB
Sample

220929-xtd4xacgbp
MD5

f9dec91d4979322f2b2261ce6ce4282b
SHA1

619ebc031da23290c6d83d162b46c4729a2d8beb
SHA256

e34dd5355c71f2a1979861885f5816262b7e9787aec9d937ceb699837f91cb9b
SHA512

96fce6de55c4a00363874cc0d52a68365c4ac88ff35138a7b501ccebd45576e882d18075cbffb810495aa7eaf5300a83c2fc34c0032a8b50adfd17ad27a4e835
SSDEEP

384:h5MEKvmhQfRvOjhmB6bzOWYZpm4Phj1zol7/17Kpyw/8xkKnTol:h5MpmhmvO1m6PXYZp1rScd/A5Ml

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

u8ow

Decoy

j5a7vTwyeK/qHg==

M2qzs6QwZ5sVSqCc

7KoU1t9NdRnqZ8ML+cB8x38C

pgeKvdoqNNao7Cr94QiDuw==

/QZJhRORtafU/zeqK4o+

2JvqeTAGpQBYdqgXoA4=

5zJ7fa0A0PgCFA==

cnq44WjiBQ5VfKgXoA4=

oAp6hcdNVbr2NaHk4QiDuw==

Z/w2v4V/zV8aVoFnW0zzSt6hYjbD

WJ74K7ehJCNed6gXoA4=

hCRY0pmWSLhPzeTztw==

ZNhbVFvL8KKYyj2udtFXr3U8T6LZeQ==

ur75Bj2XjwVNhAGA

BlhiocrRF/kDFg==

aQY19Du631WFpEg=

yGCGEReSv1T1JVmWfHwp

cvso1tUbJeLrMlhjg4Z8x38C

XmTsffB+q25IYuOWfHwp

ry8fNm8E0PgCFA==

Extracted

Family

wshrat

C2

http://3lv15.duckdns.org:6697

Targets

- Target
  
  25027a9677193ee152a6621382d40fcf31437b4366f6566d369f24d93f52f56d
- Size
  
  47KB
- MD5
  
  771ee97bd2e61801d47f37b60a69d1c8
- SHA1
  
  b77ea83d939bc5ce8ceff9668488f8045ba58a0b
- SHA256
  
  25027a9677193ee152a6621382d40fcf31437b4366f6566d369f24d93f52f56d
- SHA512
  
  2ac19e006117d449467ec49f4b600293775bdbb0f03869a6e7c914449fb522d22f74ab060d0086ef1a033c91d987c38ddd97e258a7575581e95d68b1657737b1
- SSDEEP
  
  768:bH5hjkXAZJMdHG7TH8eA0oWz6nSwsmjX1uMW7/1W8eXBnKX2CzHsPOux4GsPje//:bH5hIwZ+dHk8n0ISwXZ8OBKX2yKCXlgT
Score

10^/10

formbook vjw0rm wshrat u8ow persistence rat spyware stealer trojan worm
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Vjw0rm

WSHRAT

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2