Overview

overview

10

Static

static

1

Factura379292.vbs

windows7-x64

10

Factura379292.vbs

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Factura379292.vbs

  • Size

    167KB

  • Sample

    240325-txh1gscg68

  • MD5

    434d31ae787eaa00581d957487abe814

  • SHA1

    85abbe0d2e47a3128a9c94c77395cc33cc7a4da8

  • SHA256

    7c50209f50ce49960450dec8780918a112576c2034ac10d70e569693434bc23a

  • SHA512

    feafe13d3d5328ab4a8907a2999b6f8ae9182cd4c3758f9b081571eb367825958b8ccded5f74b65744a761b874f7924dc37d703ad55afd3f73d672ae5bfe6a95

  • SSDEEP

    3072:VpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DTIK/BXH:VpKyPeadLaz+k0zn1j7rZeqGbHfNcckI

Score
10/10
formbookguloadermo46downloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mo46

Decoy

mnt75.link

3531.vip

mtb-treasusry.com

jgdripcases.com

fuwnjq5d.shop

viralking.shop

eternalflorist.store

fangsgang.media

healthinsuranceudeserve.com

nomadadvertiser.com

iwuqb.pics

marlboro-nissan.com

massagemdossonhos.online

guhapplay.com

ingenieriaautomotriz56.com

email-555.com

mirarestaurants.com

theblueflamelabs.us

floristeriatheclover.com

mpmngr.online

Targets

    • Target

      Factura379292.vbs

    • Size

      167KB

    • MD5

      434d31ae787eaa00581d957487abe814

    • SHA1

      85abbe0d2e47a3128a9c94c77395cc33cc7a4da8

    • SHA256

      7c50209f50ce49960450dec8780918a112576c2034ac10d70e569693434bc23a

    • SHA512

      feafe13d3d5328ab4a8907a2999b6f8ae9182cd4c3758f9b081571eb367825958b8ccded5f74b65744a761b874f7924dc37d703ad55afd3f73d672ae5bfe6a95

    • SSDEEP

      3072:VpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DTIK/BXH:VpKyPeadLaz+k0zn1j7rZeqGbHfNcckI

    Score
    10/10
    formbookguloadermo46downloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks