formbook | 1f13b5415eeb928d53bebf18d722931f88318acf23aba61e8fdb237604fa31e4 | Triage

Sharing

General

Target

8596011572.zip
Size

236KB
Sample

221214-tm38nsad88
MD5

cc26fb64b36b578b827448e6054600f4
SHA1

69a0755dd3787cb560abbce0777ceef1a71bd39d
SHA256

1f13b5415eeb928d53bebf18d722931f88318acf23aba61e8fdb237604fa31e4
SHA512

05d4dff58948b744d897aad3c92a1883342fee35631f53da769d6451c6ba2f672c58fcf4a3571ecba398ac543bcb3b6f2f58dd3d024e5295e3cd6dd45176430f
SSDEEP

6144:4Ky6EjUHwqgcAxcVzfBCThkmlg06F2XanfxwSLQ+tYM:4Ky6mFq8+bCrIF2Xa5V1tR

Score

10^/10

formbook vjw0rm ermr persistence rat spyware stealer trojan worm

Malware Config

Extracted

Family

formbook

Campaign

ermr

Decoy

ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=

qNSdDhu/PT/1fgafDagiCSZH1SY=

wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=

jSxRvptHkeTGl7PT0SEmaZmjqzanuA==

b91oL+2wCcpyhnd6yvF6Pg==

mr81yp1/qqZX

hy7Xsz/PU/LWHMcGL4UYJx9n3A==

KlwrHt1gouPaXaWhoQ==

ng8M320IRJL9Ptw=

8GQbOXuaWxvKnNM=

XndOL7E5sNpVUNty4d/a

rryPBBC8PybYb+2h2MF3FHGL

kEoeyERSVCYO0g==

5/P+SBDby5hO

1fYXc30/h9W7iO17

34X+YKR+wRFE

8ir/X2MlVByh5lQ1ow8=

u9ikm2UMZ7J7hpCYow==

FLI+c3clp1BNDjVAfvC2Dnw=

t21Erq8/r09wAzAJTAH3Ng==

Targets

- Target
  
  5f6871902c55755cca82c3323edaa035b9aff50e7d22a98773e3a88c74834889
- Size
  
  587KB
- MD5
  
  5566e15bfef44a5fd758e80f6dcd2151
- SHA1
  
  3c624232ced09083c78e4ae0f188826b9a329ebb
- SHA256
  
  5f6871902c55755cca82c3323edaa035b9aff50e7d22a98773e3a88c74834889
- SHA512
  
  54ccac9c782a0d80b8e2e4cefd8263abc7bf95234b7e505eec352e7d9f29663719adfca16e6e8fd411293db32c021e49e711ae3679e32eb0d3220d322f05a000
- SSDEEP
  
  12288:pUBw3Cqaa0QxK8rVFsG2jUV+D22CyiGBFxpebbVZ5Px3Y4ke5:9nrPsGYDZhwr5
Score

10^/10

formbook vjw0rm ermr persistence rat spyware stealer trojan worm
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookvjw0rmermrpersistenceratspywarestealertrojanworm

behavioral2

formbookvjw0rmermrratspywarestealertrojanworm