formbook

General

Target

MV._KHARIS_PEAGSUS_V.SN2216.js
Size

1.1MB
Sample

221221-ml4z9afc7w
MD5

f6291775008f71c57a810fb5803328d7
SHA1

a8135b5c3e14002e35188f3cc5dd9e00dff21552
SHA256

c041a06efb25eff8fe0ef8ec1b43b3828ad4c3489827add8e156d7a2ec2a786e
SHA512

145606f3c434c5bdc2db38cf18ffdb359454cd973ff11158433a8955a845499f3a9b99f95664767e86efb75268cdea9f586fb7d9ebb64ef22c29e6fb5afed291
SSDEEP

12288:GtHYDeDuDLzi5Z96Svb/nYsv/ysXEizfPxuGYjSHOL08+t2gI5tx/gHtBbtj97eG:YaSDnYsv/ysXEizf5uquL4U96RN

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

ermr

Decoy

ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=

qNSdDhu/PT/1fgafDagiCSZH1SY=

wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=

jSxRvptHkeTGl7PT0SEmaZmjqzanuA==

b91oL+2wCcpyhnd6yvF6Pg==

mr81yp1/qqZX

hy7Xsz/PU/LWHMcGL4UYJx9n3A==

KlwrHt1gouPaXaWhoQ==

ng8M320IRJL9Ptw=

8GQbOXuaWxvKnNM=

XndOL7E5sNpVUNty4d/a

rryPBBC8PybYb+2h2MF3FHGL

kEoeyERSVCYO0g==

5/P+SBDby5hO

1fYXc30/h9W7iO17

34X+YKR+wRFE

8ir/X2MlVByh5lQ1ow8=

u9ikm2UMZ7J7hpCYow==

FLI+c3clp1BNDjVAfvC2Dnw=

t21Erq8/r09wAzAJTAH3Ng==

Targets

- Target
  
  MV._KHARIS_PEAGSUS_V.SN2216.js
- Size
  
  1.1MB
- MD5
  
  f6291775008f71c57a810fb5803328d7
- SHA1
  
  a8135b5c3e14002e35188f3cc5dd9e00dff21552
- SHA256
  
  c041a06efb25eff8fe0ef8ec1b43b3828ad4c3489827add8e156d7a2ec2a786e
- SHA512
  
  145606f3c434c5bdc2db38cf18ffdb359454cd973ff11158433a8955a845499f3a9b99f95664767e86efb75268cdea9f586fb7d9ebb64ef22c29e6fb5afed291
- SSDEEP
  
  12288:GtHYDeDuDLzi5Z96Svb/nYsv/ysXEizfPxuGYjSHOL08+t2gI5tx/gHtBbtj97eG:YaSDnYsv/ysXEizf5uquL4U96RN
Score

10^/10

formbook vjw0rm ermr rat spyware stealer trojan worm persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Vjw0rm

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2