formbook | 8aaf453b110fa7065e947c3ce62adba79a22b32894a5779bc2aa9cfd87d6df1c | Triage

Sharing

General

Target

MV TAYDO STAR-VESSEL PARTICULARS.js
Size

895KB
Sample

221217-j2pzgsbc3y
MD5

eaa0d0183335da6eaee3680ec0f11209
SHA1

d6506fa84779f2fb61b86a68c948f44f5abbee12
SHA256

8aaf453b110fa7065e947c3ce62adba79a22b32894a5779bc2aa9cfd87d6df1c
SHA512

61af0c623e36894abbfc6ed557c3a51d851c82273dbefeb186ee677b6eb5a800206500c27abbdaeea047119cf009e7c368c041bac4e98e06b51da09820c0f113
SSDEEP

12288:vxykgiEyf9c7MWYdDBYSv+FBkUQExkZ1DF+yNgeW/lWtFB4a:jEMc7MWiAu/J8Wma

Score

10^/10

formbook vjw0rm ermr persistence rat spyware stealer trojan worm

Malware Config

Extracted

Family

formbook

Campaign

ermr

Decoy

ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=

qNSdDhu/PT/1fgafDagiCSZH1SY=

wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=

jSxRvptHkeTGl7PT0SEmaZmjqzanuA==

b91oL+2wCcpyhnd6yvF6Pg==

mr81yp1/qqZX

hy7Xsz/PU/LWHMcGL4UYJx9n3A==

KlwrHt1gouPaXaWhoQ==

ng8M320IRJL9Ptw=

8GQbOXuaWxvKnNM=

XndOL7E5sNpVUNty4d/a

rryPBBC8PybYb+2h2MF3FHGL

kEoeyERSVCYO0g==

5/P+SBDby5hO

1fYXc30/h9W7iO17

34X+YKR+wRFE

8ir/X2MlVByh5lQ1ow8=

u9ikm2UMZ7J7hpCYow==

FLI+c3clp1BNDjVAfvC2Dnw=

t21Erq8/r09wAzAJTAH3Ng==

Targets

- Target
  
  MV TAYDO STAR-VESSEL PARTICULARS.js
- Size
  
  895KB
- MD5
  
  eaa0d0183335da6eaee3680ec0f11209
- SHA1
  
  d6506fa84779f2fb61b86a68c948f44f5abbee12
- SHA256
  
  8aaf453b110fa7065e947c3ce62adba79a22b32894a5779bc2aa9cfd87d6df1c
- SHA512
  
  61af0c623e36894abbfc6ed557c3a51d851c82273dbefeb186ee677b6eb5a800206500c27abbdaeea047119cf009e7c368c041bac4e98e06b51da09820c0f113
- SSDEEP
  
  12288:vxykgiEyf9c7MWYdDBYSv+FBkUQExkZ1DF+yNgeW/lWtFB4a:jEMc7MWiAu/J8Wma
Score

10^/10

formbook vjw0rm ermr persistence rat spyware stealer trojan worm
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookvjw0rmermrpersistenceratspywarestealertrojanworm

behavioral2

formbookvjw0rmermrpersistenceratspywarestealertrojanworm