formbook

General

Target

8656936134.zip
Size

305KB
Sample

221227-wwzmysah4y
MD5

4ba49e2956fa72e96106ff1943468948
SHA1

2ef6ccd0587b17d676396d0279fb9e2a1d59f6d9
SHA256

2ecf4418c232bd10b9da9bf945644ec49e9742e6471dab8e11db0e413987f8bc
SHA512

cd61432c39d9e94a61b12e2a9e989af3bedb43c7052a167c1c6f5ed2ae7c36fad341fe34612f513f7c98db7af4ad657b25d563550de3102e8cfb444456c1c2eb
SSDEEP

6144:6SX1lG3FCNTUqfDgDFnXVujLi3J1rZ4ZQpHalInjrV32nkhlSNzeX:lls381nfD0FXVuSEZQ7XpX

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

ermr

Decoy

ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=

qNSdDhu/PT/1fgafDagiCSZH1SY=

wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=

jSxRvptHkeTGl7PT0SEmaZmjqzanuA==

b91oL+2wCcpyhnd6yvF6Pg==

mr81yp1/qqZX

hy7Xsz/PU/LWHMcGL4UYJx9n3A==

KlwrHt1gouPaXaWhoQ==

ng8M320IRJL9Ptw=

8GQbOXuaWxvKnNM=

XndOL7E5sNpVUNty4d/a

rryPBBC8PybYb+2h2MF3FHGL

kEoeyERSVCYO0g==

5/P+SBDby5hO

1fYXc30/h9W7iO17

34X+YKR+wRFE

8ir/X2MlVByh5lQ1ow8=

u9ikm2UMZ7J7hpCYow==

FLI+c3clp1BNDjVAfvC2Dnw=

t21Erq8/r09wAzAJTAH3Ng==

Targets

- Target
  
  c041a06efb25eff8fe0ef8ec1b43b3828ad4c3489827add8e156d7a2ec2a786e
- Size
  
  1.1MB
- MD5
  
  f6291775008f71c57a810fb5803328d7
- SHA1
  
  a8135b5c3e14002e35188f3cc5dd9e00dff21552
- SHA256
  
  c041a06efb25eff8fe0ef8ec1b43b3828ad4c3489827add8e156d7a2ec2a786e
- SHA512
  
  145606f3c434c5bdc2db38cf18ffdb359454cd973ff11158433a8955a845499f3a9b99f95664767e86efb75268cdea9f586fb7d9ebb64ef22c29e6fb5afed291
- SSDEEP
  
  12288:GtHYDeDuDLzi5Z96Svb/nYsv/ysXEizfPxuGYjSHOL08+t2gI5tx/gHtBbtj97eG:YaSDnYsv/ysXEizf5uquL4U96RN
Score

10^/10

formbook vjw0rm ermr persistence rat spyware stealer trojan worm
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Vjw0rm

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2