General

  • Target

    ORDER_PO251455222785xls.js

  • Size

    360KB

  • Sample

    221005-l7c8zseac5

  • MD5

    da85ecaf5be8dec7f830cad375d64b02

  • SHA1

    d98c20911248a4cd751f33bcb1bbbfc8417b8414

  • SHA256

    82e21bcf9876cac1633fa8fea190eedf18f97dd55cef0a6606256d0f35f1953f

  • SHA512

    8099cb708368b2ade3a7edccbf406fad7c8585fc811bcadd9cefd6430afb081b406d1f03b970b7d1428ab7797383e5a6a10f702653f23414ed3de2141b49ec7d

  • SSDEEP

    6144:VVvgl428Abxr7Iq3EoGox10qXip+G2Ew2Vno8CCFAB/hWFTfnylmgUNMabvg:Vyl425lEjqXk+Gxw2JCCeBqXgUNMab4

Malware Config

Extracted

Family

formbook

Campaign

douy

Decoy

q/gE5cI3rDQ=

mWCSTU/0Qg0y2LI=

Ozoj90916XZyH/FO1eCN0FbH3B8AxgG7Ew==

g5GYftfE/MwWgYzxjKuH

vYfWrnDlWBLBYqeE

Ovww28VyrH1wHcha2A==

lqgaxrprk2qvYslb2g==

oELEK3LYUxWCa7iY1pVWxhBaQQ==

8Qp7H/31ZmEJzbA=

v1ZJvbrbN8Csuid/4vRrXKLjDoB3PQa5

ZCbNYcXjHpvlbrKO

9LL1wbJRw4QPGFwyQxePqS2ZaO3T1Q==

H9oCe3eR/b6yh8lO07snFpmfgI0=

+9aXS875O7eqViZPlo47yhxnSw==

eTqN+HUSjk3lbrKO

xDCvt/BcVjCQ

+5yHTtcBR9bcr/Ok2xfBCw==

up7eiFXqd0blbrKO

tIDEiHde4YZeHcha2A==

CNDqbko6tnpqHcha2A==

Targets

    • Target

      ORDER_PO251455222785xls.js

    • Size

      360KB

    • MD5

      da85ecaf5be8dec7f830cad375d64b02

    • SHA1

      d98c20911248a4cd751f33bcb1bbbfc8417b8414

    • SHA256

      82e21bcf9876cac1633fa8fea190eedf18f97dd55cef0a6606256d0f35f1953f

    • SHA512

      8099cb708368b2ade3a7edccbf406fad7c8585fc811bcadd9cefd6430afb081b406d1f03b970b7d1428ab7797383e5a6a10f702653f23414ed3de2141b49ec7d

    • SSDEEP

      6144:VVvgl428Abxr7Iq3EoGox10qXip+G2Ew2Vno8CCFAB/hWFTfnylmgUNMabvg:Vyl425lEjqXk+Gxw2JCCeBqXgUNMab4

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks