General

  • Target

    Swift_049949_pdf.js

  • Size

    356KB

  • Sample

    221012-r8194agbd7

  • MD5

    f01befe67328d6895946ab4c8763f006

  • SHA1

    b302694c2c69da517b88eec771d8fc2c13ad5a66

  • SHA256

    4a9a8778e84343f5992bddbfdec6e7d45ca399d1f20a44bcb8eaccd05372f193

  • SHA512

    012fd72d8a70023772345213fdefb6382e4658e97bfd27cd4610312e4aa7fd113bde436f159451b77688ca876401cd05b2a207d194a3e562b265fbcdfb0a17a4

  • SSDEEP

    6144:BWCdn1qRUAtmWXwXXJ528/RpFH81oTrmYW1XEMnGWrUvfhZN8gkU9uQyp:BbqZmWXsXzLH981omYHMGWuZZOrU+p

Malware Config

Extracted

Family

formbook

Campaign

xrob

Decoy

dV8FCtdWdnfMJ9thh8l/

IJG6Bh4iMeHVBHNp2MrpTA==

NhPKKtmQxnHYF/80

f4M2RhGEf3Ot13+qLrKqxb9f3dXj9Q==

A/689/MibSRBgkPkx07m+H+g

e8OOkUu9y/uYCMsdrR3s0mODmGw3d8t9Og==

gLN5bn+Zq1VQXmOOvw==

NFcQGvViY5sxmkty83Fde4GQhg==

XWMfFSM3f7GT9w==

Ih6vvqf9R8gDObM=

FGAlLASHlpLaUUKUJIwm9ABQ2Js=

v8R615LDC8iWchwv

m+u3rLUxScgDObM=

jc3eahERf7GT9w==

TYNBVDadkpTF76HeNl/rbwWtLSbyPzM=

j6NQmhWeOi2B

aqJocUfM3v97ryScY6EiSMbVyBak

V7nYOyEZKa2J/KKh5RMhJrbyK/eC/Q==

8zPsAt3ejcgDObM=

Rpe+BrGBzpGa9q8FHKpi

Targets

    • Target

      Swift_049949_pdf.js

    • Size

      356KB

    • MD5

      f01befe67328d6895946ab4c8763f006

    • SHA1

      b302694c2c69da517b88eec771d8fc2c13ad5a66

    • SHA256

      4a9a8778e84343f5992bddbfdec6e7d45ca399d1f20a44bcb8eaccd05372f193

    • SHA512

      012fd72d8a70023772345213fdefb6382e4658e97bfd27cd4610312e4aa7fd113bde436f159451b77688ca876401cd05b2a207d194a3e562b265fbcdfb0a17a4

    • SSDEEP

      6144:BWCdn1qRUAtmWXwXXJ528/RpFH81oTrmYW1XEMnGWrUvfhZN8gkU9uQyp:BbqZmWXsXzLH981omYHMGWuZZOrU+p

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks