Overview

overview

10

Static

static

RFQ PBMS 4...df.exe

windows7-x64

10

RFQ PBMS 4...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ PBMS 401055-STR-22.pdf.exe

  • Size

    960KB

  • Sample

    221010-hw3sqabbdn

  • MD5

    d53349008874b77d087eac5ee7380c5b

  • SHA1

    676219bcf2de1c6b73a366cf880d0702cbfc6f99

  • SHA256

    e619a4c3b283514f6fec91b45659f766050d86117cbd75752096b719fb444b69

  • SHA512

    8fc2de3635c447216b1aad8f1dd0b41152f9debb1d53da877dfd439cfb8551e5ebebf2621c9cd2c243e87786645e2fe12cd02db256f0c70b750a6c330442adae

  • SSDEEP

    12288:KUTQO2iNCJ2uT8ejSo+aI2PfwnlOvAsijEo9Ogi5LGXshr9lyAKp:lD1FQtO5aIqAk8oUTixWsh5lWp

Score
10/10
formbooknwormmmtrdownloaderevasionratspywarestealertrojanworm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

svetanakravenova247.ddns.net:3498

Mutex

37f24ea7

Extracted

Family

formbook

Campaign

mmtr

Decoy

A2DZqKcj5ytLVZtHJA==

fMXPWQG+JWa0S6lZOg==

8kymMDxB6ShVJHxu2gshFtXY9Rw=

1TcOF6WxcdzplqFGcUCNkBY=

k3TLhZ+bOG7ahplcPA==

K4kL5Aq5abHNS6lZOg==

mXDSo9XmxlqYN6psOA==

m+RNCVT4shAb

G1kzROn+2jCug7F5psQ=

qNYsJkWzqwkZ

0BcDQuH0xt4oBh4=

pfRW4ZhmRsEiyvP2Mg==

Sqgj4eztyCg0Ezwo39iHXQ==

bIi2etJbcdUB

k2g3gBesND9hUoKOzGaVFKX6IuUaknqH1Q==

8dFDXQPnb4s+sWfhwoqOdgmABBK+YGg=

Pn9PmDzelx84EjfdzY0WkiRPz6i4

SrUfvOfNO3DMdLvB

GFXHQ9NuPdHsxOiU2umGMSiTvQE=

Kv9sdrhSbDfMdLvB

Targets

    • Target

      RFQ PBMS 401055-STR-22.pdf.exe

    • Size

      960KB

    • MD5

      d53349008874b77d087eac5ee7380c5b

    • SHA1

      676219bcf2de1c6b73a366cf880d0702cbfc6f99

    • SHA256

      e619a4c3b283514f6fec91b45659f766050d86117cbd75752096b719fb444b69

    • SHA512

      8fc2de3635c447216b1aad8f1dd0b41152f9debb1d53da877dfd439cfb8551e5ebebf2621c9cd2c243e87786645e2fe12cd02db256f0c70b750a6c330442adae

    • SSDEEP

      12288:KUTQO2iNCJ2uT8ejSo+aI2PfwnlOvAsijEo9Ogi5LGXshr9lyAKp:lD1FQtO5aIqAk8oUTixWsh5lWp

    Score
    10/10
    formbooknwormmmtrdownloaderevasionratspywarestealertrojanworm

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Modifies visibility of file extensions in Explorer

      evasion

    • NWorm

      A TrickBot module used to propagate to vulnerable domain controllers.

      wormdownloadernworm

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks