formbook

General

Target

Scan005510.js
Size

5.3MB
Sample

230718-qc774abc71
MD5

dcdd70327905af1b3bee089b4f47a343
SHA1

fc26fd4b71a7d6f94d191eca8ad1e4303a679075
SHA256

58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea
SHA512

befa67677050ae06352e55fbaefb7287ff88b1428eafa1cc63342339e358081b6b0e3fb98473906ee64bca28314c981fa98c70fcd94383da0d95d8d92b9f38ef
SSDEEP

6144:XgHrlNOv7uIeLpJMaO/lfSiSiV/r3ZPuK/v4lOVdMorRpVDBqP3nvBrXQklUOu6z:iPB

Score

10^/10

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.131:7121

Extracted

Family

formbook

Version

4.1

Campaign

me15

Decoy

thegrill253.com

arthousecorp.com

acre-com.com

dreambarnhollow.com

winwin220693.online

shinohtrade.com

blockcchain.help

8hx3.vip

lifeshinelearning.com

havencoinvestmentgroup.com

thebesthomehacks.com

the-country-wiki.com

xskt.club

sunrisemedia.space

crecrown.com

0hpail.cyou

artwelding.store

psilome.com

layerbabuena.club

miras.shop

Targets

- Target
  
  Scan005510.js
- Size
  
  5.3MB
- MD5
  
  dcdd70327905af1b3bee089b4f47a343
- SHA1
  
  fc26fd4b71a7d6f94d191eca8ad1e4303a679075
- SHA256
  
  58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea
- SHA512
  
  befa67677050ae06352e55fbaefb7287ff88b1428eafa1cc63342339e358081b6b0e3fb98473906ee64bca28314c981fa98c70fcd94383da0d95d8d92b9f38ef
- SSDEEP
  
  6144:XgHrlNOv7uIeLpJMaO/lfSiSiV/r3ZPuK/v4lOVdMorRpVDBqP3nvBrXQklUOu6z:iPB
Score

10^/10

wshrat discovery persistence trojan formbook guloader me15 downloader rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Formbook payload
  rat
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Guloader,Cloudeye

WSHRAT

Formbook payload

Blocklisted process makes network request

Checks QEMU agent file

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2