General

  • Target

    RFQ PBMS 401055-STR-22.pdf.exe

  • Size

    1.0MB

  • Sample

    221010-mns1rsbfem

  • MD5

    bbbffc29c40c5e0e4aba9fd4e2a677f9

  • SHA1

    a9ab9ba1a90d144a6ba982003d2116a5b7dd42da

  • SHA256

    93e11bd9c359b03f6d2a3add3d1a109275eaadc5b9875b395f9d87e302db93dd

  • SHA512

    4381510e00a00b55e41e85cbfc4f67520570d43e1e76918679fba06812dcceebd8002e5f84b963a010c2f5f1c59f123f15b6ff6615ba174299166197845e228e

  • SSDEEP

    12288:FSmZqMm9II2iNPv9sXAwe7CrtPVGVh9dpcjSJnu5lzAKp:ZTI1LWAt7YVkdTJn2lDp

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

svetanakravenova247.ddns.net:3498

Mutex

37f24ea7

Extracted

Family

formbook

Campaign

mmtr

Decoy

A2DZqKcj5ytLVZtHJA==

fMXPWQG+JWa0S6lZOg==

8kymMDxB6ShVJHxu2gshFtXY9Rw=

1TcOF6WxcdzplqFGcUCNkBY=

k3TLhZ+bOG7ahplcPA==

K4kL5Aq5abHNS6lZOg==

mXDSo9XmxlqYN6psOA==

m+RNCVT4shAb

G1kzROn+2jCug7F5psQ=

qNYsJkWzqwkZ

0BcDQuH0xt4oBh4=

pfRW4ZhmRsEiyvP2Mg==

Sqgj4eztyCg0Ezwo39iHXQ==

bIi2etJbcdUB

k2g3gBesND9hUoKOzGaVFKX6IuUaknqH1Q==

8dFDXQPnb4s+sWfhwoqOdgmABBK+YGg=

Pn9PmDzelx84EjfdzY0WkiRPz6i4

SrUfvOfNO3DMdLvB

GFXHQ9NuPdHsxOiU2umGMSiTvQE=

Kv9sdrhSbDfMdLvB

Targets

    • Target

      RFQ PBMS 401055-STR-22.pdf.exe

    • Size

      1.0MB

    • MD5

      bbbffc29c40c5e0e4aba9fd4e2a677f9

    • SHA1

      a9ab9ba1a90d144a6ba982003d2116a5b7dd42da

    • SHA256

      93e11bd9c359b03f6d2a3add3d1a109275eaadc5b9875b395f9d87e302db93dd

    • SHA512

      4381510e00a00b55e41e85cbfc4f67520570d43e1e76918679fba06812dcceebd8002e5f84b963a010c2f5f1c59f123f15b6ff6615ba174299166197845e228e

    • SSDEEP

      12288:FSmZqMm9II2iNPv9sXAwe7CrtPVGVh9dpcjSJnu5lzAKp:ZTI1LWAt7YVkdTJn2lDp

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Modifies visibility of file extensions in Explorer

    • NWorm

      A TrickBot module used to propagate to vulnerable domain controllers.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks