Overview

overview

10

Static

static

1

17bc4c1480...83.vbs

windows7-x64

8

17bc4c1480...83.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    17bc4c1480d734465bb1ee3c30ca572ac97d37f75abf0bd9644b00fb73860c83.vbs

  • Size

    157KB

  • Sample

    240322-cj7m9afa26

  • MD5

    03e7e28998881d12bf13a6ece8141d72

  • SHA1

    8b8a448c626ceb28e4a4088b493596f0ce9518c9

  • SHA256

    17bc4c1480d734465bb1ee3c30ca572ac97d37f75abf0bd9644b00fb73860c83

  • SHA512

    b4414a0ef0ebb6bc08be3d42f76a6e27f299c2045ac661e73994cbf2557436278a9b08c96f667da2694c5bd5a598769f81228dc7072a9e39288667a2d998ca6a

  • SSDEEP

    3072:OaDcD0SZh/awGqU42RvG+q4xgc3RR+vsZbqXRF1kEcVwJbkd+xCQqV4TgJaSX:cD0Sn/s42Rvrq4xgc3RR+vYbqXRFtcV9

Score
10/10
formbookfe15ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fe15

Decoy

ivynet.online

luckypermaisuri4d.monster

airoma.top

kp2d.xyz

oliviarosebridal.com

cartelcollectionz.com

qereport.com

radyomdeniz.com

nakedsonproductions.com

hanamasa.xyz

demontimemail.com

shannoncarpenterrealtor.online

jlzjunkremoval.com

key-talent-solutions.com

jaydanne.com

dmstgy.site

rings-32342.bond

gpoixev.online

orabox.shop

carrothong.space

Targets

    • Target

      17bc4c1480d734465bb1ee3c30ca572ac97d37f75abf0bd9644b00fb73860c83.vbs

    • Size

      157KB

    • MD5

      03e7e28998881d12bf13a6ece8141d72

    • SHA1

      8b8a448c626ceb28e4a4088b493596f0ce9518c9

    • SHA256

      17bc4c1480d734465bb1ee3c30ca572ac97d37f75abf0bd9644b00fb73860c83

    • SHA512

      b4414a0ef0ebb6bc08be3d42f76a6e27f299c2045ac661e73994cbf2557436278a9b08c96f667da2694c5bd5a598769f81228dc7072a9e39288667a2d998ca6a

    • SSDEEP

      3072:OaDcD0SZh/awGqU42RvG+q4xgc3RR+vsZbqXRF1kEcVwJbkd+xCQqV4TgJaSX:cD0Sn/s42Rvrq4xgc3RR+vYbqXRFtcV9

    Score
    10/10
    formbookfe15ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks