General

  • Target

    QUOTATION.js

  • Size

    348KB

  • Sample

    221017-v793dscfgn

  • MD5

    ef2979f13b34b227f407b2f6a611fcb8

  • SHA1

    c3ee0b25966c0571ba88d2baf82e77f7cac99e6f

  • SHA256

    e5c140ad8d505a1b3efd96367d141f6c823f27b1b04bb53bce47baef12914052

  • SHA512

    96ddca1b609edee64ddde021495b53b60a46bd168aed8a2b3a632496d3d3991bcbe76598c98114ddd61bd9001835b51e3773116faec02f7cc5f1b42b0510875c

  • SSDEEP

    6144:/wkHXb6B9k9EcJCiqi82k6DpDtbl4SoKoGb/OMnKUU09JnglNhb:4G2vk9EcJCbi8ONDtp4So+/Up4neHb

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c0e5

Decoy

educao.pet

e-race.store

clitzhyper.com

webcheetahtech.online

akkarr.online

odevillage.fit

yaignav.site

191u.us

misionartv.store

leadingpastor.com

claudio-vega.store

9mck753.com

system-reminder.live

landsharesfg.net

lmcsf.top

mkstoreacesse.com

2023.domains

yb8.mobi

2q02f4fyxg7ybb18.digital

logtray.shop

Targets

    • Target

      QUOTATION.js

    • Size

      348KB

    • MD5

      ef2979f13b34b227f407b2f6a611fcb8

    • SHA1

      c3ee0b25966c0571ba88d2baf82e77f7cac99e6f

    • SHA256

      e5c140ad8d505a1b3efd96367d141f6c823f27b1b04bb53bce47baef12914052

    • SHA512

      96ddca1b609edee64ddde021495b53b60a46bd168aed8a2b3a632496d3d3991bcbe76598c98114ddd61bd9001835b51e3773116faec02f7cc5f1b42b0510875c

    • SSDEEP

      6144:/wkHXb6B9k9EcJCiqi82k6DpDtbl4SoKoGb/OMnKUU09JnglNhb:4G2vk9EcJCbi8ONDtp4So+/Up4neHb

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Formbook payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks