Overview

overview

10

Static

static

1

Scan00516.js

windows7-x64

10

Scan00516.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scan00516.js

  • Size

    2.8MB

  • Sample

    230808-mty4zade91

  • MD5

    cceb6f7af35075d52fb1abbbcba9d552

  • SHA1

    db1fb42b122d7dfe6870a9a5158cd16a54f500b9

  • SHA256

    e65ec8d385c6ce480304b3ef59bcae22c5513e74394d0c4ddea7c3ce61bcc5a9

  • SHA512

    694efc7c76eca5a222b811cb4f71cfe914f1206a316db65cbec9e947133f8b047ffb0f86f3f3552e398b4fd6f22ce54f7bb99971d4070ce8eb9a52d1f2cf20a5

  • SSDEEP

    12288:HEjhLV6ErrE79GfPIE9bR/Ncojw3Qxe1C5SsPuUhoGp8b+hRmgQeemB7JpPBgKq0:2

Score
10/10
formbookwshratme15persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

me15

Decoy

thegrill253.com

arthousecorp.com

acre-com.com

dreambarnhollow.com

winwin220693.online

shinohtrade.com

blockcchain.help

8hx3.vip

lifeshinelearning.com

havencoinvestmentgroup.com

thebesthomehacks.com

the-country-wiki.com

xskt.club

sunrisemedia.space

crecrown.com

0hpail.cyou

artwelding.store

psilome.com

layerbabuena.club

miras.shop

Extracted

Family

wshrat

C2

http://45.90.222.131:7121

Targets

    • Target

      Scan00516.js

    • Size

      2.8MB

    • MD5

      cceb6f7af35075d52fb1abbbcba9d552

    • SHA1

      db1fb42b122d7dfe6870a9a5158cd16a54f500b9

    • SHA256

      e65ec8d385c6ce480304b3ef59bcae22c5513e74394d0c4ddea7c3ce61bcc5a9

    • SHA512

      694efc7c76eca5a222b811cb4f71cfe914f1206a316db65cbec9e947133f8b047ffb0f86f3f3552e398b4fd6f22ce54f7bb99971d4070ce8eb9a52d1f2cf20a5

    • SSDEEP

      12288:HEjhLV6ErrE79GfPIE9bR/Ncojw3Qxe1C5SsPuUhoGp8b+hRmgQeemB7JpPBgKq0:2

    Score
    10/10
    formbookwshratme15persistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Formbook payload

      rat

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Nirsoft

    • Blocklisted process makes network request

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks