formbook | e619a4c3b283514f6fec91b45659f766050d86117cbd75752096b719fb444b69 | Triage

Sharing

General

Target

RFQ PBMS 401055-STR-22.pdf.exe
Size

960KB
Sample

221010-hw3sqabbdn
MD5

d53349008874b77d087eac5ee7380c5b
SHA1

676219bcf2de1c6b73a366cf880d0702cbfc6f99
SHA256

e619a4c3b283514f6fec91b45659f766050d86117cbd75752096b719fb444b69
SHA512

8fc2de3635c447216b1aad8f1dd0b41152f9debb1d53da877dfd439cfb8551e5ebebf2621c9cd2c243e87786645e2fe12cd02db256f0c70b750a6c330442adae
SSDEEP

12288:KUTQO2iNCJ2uT8ejSo+aI2PfwnlOvAsijEo9Ogi5LGXshr9lyAKp:lD1FQtO5aIqAk8oUTixWsh5lWp

Score

10^/10

formbook nworm mmtr downloader evasion rat spyware stealer trojan worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

svetanakravenova247.ddns.net:3498

Mutex

37f24ea7

Extracted

Family

formbook

Campaign

mmtr

Decoy

A2DZqKcj5ytLVZtHJA==

fMXPWQG+JWa0S6lZOg==

8kymMDxB6ShVJHxu2gshFtXY9Rw=

1TcOF6WxcdzplqFGcUCNkBY=

k3TLhZ+bOG7ahplcPA==

K4kL5Aq5abHNS6lZOg==

mXDSo9XmxlqYN6psOA==

m+RNCVT4shAb

G1kzROn+2jCug7F5psQ=

qNYsJkWzqwkZ

0BcDQuH0xt4oBh4=

pfRW4ZhmRsEiyvP2Mg==

Sqgj4eztyCg0Ezwo39iHXQ==

bIi2etJbcdUB

k2g3gBesND9hUoKOzGaVFKX6IuUaknqH1Q==

8dFDXQPnb4s+sWfhwoqOdgmABBK+YGg=

Pn9PmDzelx84EjfdzY0WkiRPz6i4

SrUfvOfNO3DMdLvB

GFXHQ9NuPdHsxOiU2umGMSiTvQE=

Kv9sdrhSbDfMdLvB

Targets

- Target
  
  RFQ PBMS 401055-STR-22.pdf.exe
- Size
  
  960KB
- MD5
  
  d53349008874b77d087eac5ee7380c5b
- SHA1
  
  676219bcf2de1c6b73a366cf880d0702cbfc6f99
- SHA256
  
  e619a4c3b283514f6fec91b45659f766050d86117cbd75752096b719fb444b69
- SHA512
  
  8fc2de3635c447216b1aad8f1dd0b41152f9debb1d53da877dfd439cfb8551e5ebebf2621c9cd2c243e87786645e2fe12cd02db256f0c70b750a6c330442adae
- SSDEEP
  
  12288:KUTQO2iNCJ2uT8ejSo+aI2PfwnlOvAsijEo9Ogi5LGXshr9lyAKp:lD1FQtO5aIqAk8oUTixWsh5lWp
Score

10^/10

formbook nworm mmtr downloader evasion rat spyware stealer trojan worm
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Modifies visibility of file extensions in Explorer
  evasion
- NWorm
  A TrickBot module used to propagate to vulnerable domain controllers.
  worm downloader nworm
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooknwormmmtrdownloaderevasionratspywarestealertrojanworm

behavioral2

formbooknwormmmtrdownloaderevasionratspywarestealertrojanworm