formbook | 93e11bd9c359b03f6d2a3add3d1a109275eaadc5b9875b395f9d87e302db93dd | Triage

Sharing

General

Target

RFQ PBMS 401055-STR-22.pdf.exe
Size

1.0MB
Sample

221010-mns1rsbfem
MD5

bbbffc29c40c5e0e4aba9fd4e2a677f9
SHA1

a9ab9ba1a90d144a6ba982003d2116a5b7dd42da
SHA256

93e11bd9c359b03f6d2a3add3d1a109275eaadc5b9875b395f9d87e302db93dd
SHA512

4381510e00a00b55e41e85cbfc4f67520570d43e1e76918679fba06812dcceebd8002e5f84b963a010c2f5f1c59f123f15b6ff6615ba174299166197845e228e
SSDEEP

12288:FSmZqMm9II2iNPv9sXAwe7CrtPVGVh9dpcjSJnu5lzAKp:ZTI1LWAt7YVkdTJn2lDp

Score

10^/10

formbook nworm mmtr downloader evasion rat spyware stealer trojan worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

svetanakravenova247.ddns.net:3498

Mutex

37f24ea7

Extracted

Family

formbook

Campaign

mmtr

Decoy

A2DZqKcj5ytLVZtHJA==

fMXPWQG+JWa0S6lZOg==

8kymMDxB6ShVJHxu2gshFtXY9Rw=

1TcOF6WxcdzplqFGcUCNkBY=

k3TLhZ+bOG7ahplcPA==

K4kL5Aq5abHNS6lZOg==

mXDSo9XmxlqYN6psOA==

m+RNCVT4shAb

G1kzROn+2jCug7F5psQ=

qNYsJkWzqwkZ

0BcDQuH0xt4oBh4=

pfRW4ZhmRsEiyvP2Mg==

Sqgj4eztyCg0Ezwo39iHXQ==

bIi2etJbcdUB

k2g3gBesND9hUoKOzGaVFKX6IuUaknqH1Q==

8dFDXQPnb4s+sWfhwoqOdgmABBK+YGg=

Pn9PmDzelx84EjfdzY0WkiRPz6i4

SrUfvOfNO3DMdLvB

GFXHQ9NuPdHsxOiU2umGMSiTvQE=

Kv9sdrhSbDfMdLvB

Targets

- Target
  
  RFQ PBMS 401055-STR-22.pdf.exe
- Size
  
  1.0MB
- MD5
  
  bbbffc29c40c5e0e4aba9fd4e2a677f9
- SHA1
  
  a9ab9ba1a90d144a6ba982003d2116a5b7dd42da
- SHA256
  
  93e11bd9c359b03f6d2a3add3d1a109275eaadc5b9875b395f9d87e302db93dd
- SHA512
  
  4381510e00a00b55e41e85cbfc4f67520570d43e1e76918679fba06812dcceebd8002e5f84b963a010c2f5f1c59f123f15b6ff6615ba174299166197845e228e
- SSDEEP
  
  12288:FSmZqMm9II2iNPv9sXAwe7CrtPVGVh9dpcjSJnu5lzAKp:ZTI1LWAt7YVkdTJn2lDp
Score

10^/10

formbook nworm mmtr downloader evasion rat spyware stealer trojan worm
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Modifies visibility of file extensions in Explorer
  evasion
- NWorm
  A TrickBot module used to propagate to vulnerable domain controllers.
  worm downloader nworm
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooknwormmmtrdownloaderevasionratspywarestealertrojanworm

behavioral2

formbooknwormmmtrdownloaderratspywarestealertrojanworm