Overview

overview

10

Static

static

1

justifican...df.vbs

windows7-x64

10

justifican...df.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    justificante de pago_pdf.vbs

  • Size

    167KB

  • Sample

    240326-pxw5wsad92

  • MD5

    46fc70d31386d4539f1195a8c16981ad

  • SHA1

    003035fe7f9d28c394486f1f0941a411ed70ff86

  • SHA256

    2021b29b0f29e42b35f7796a8c7615307d555dcc4b0bbacb599f246f556e810a

  • SHA512

    c4ad8b45cd303759d73d2fff7b48de7a42a050baea363fe51f1e61aef3b34dd8264bfac38080af93d7ab7ed03e122f374e33d679c9b0b5894a1db0615c695ce6

  • SSDEEP

    3072:KpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DMXVMK8m:KpKyPeadLaz+k0zn1j7rZeqGbHfNcckd

Score
10/10
formbookguloadermo46downloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mo46

Decoy

mnt75.link

3531.vip

mtb-treasusry.com

jgdripcases.com

fuwnjq5d.shop

viralking.shop

eternalflorist.store

fangsgang.media

healthinsuranceudeserve.com

nomadadvertiser.com

iwuqb.pics

marlboro-nissan.com

massagemdossonhos.online

guhapplay.com

ingenieriaautomotriz56.com

email-555.com

mirarestaurants.com

theblueflamelabs.us

floristeriatheclover.com

mpmngr.online

Targets

    • Target

      justificante de pago_pdf.vbs

    • Size

      167KB

    • MD5

      46fc70d31386d4539f1195a8c16981ad

    • SHA1

      003035fe7f9d28c394486f1f0941a411ed70ff86

    • SHA256

      2021b29b0f29e42b35f7796a8c7615307d555dcc4b0bbacb599f246f556e810a

    • SHA512

      c4ad8b45cd303759d73d2fff7b48de7a42a050baea363fe51f1e61aef3b34dd8264bfac38080af93d7ab7ed03e122f374e33d679c9b0b5894a1db0615c695ce6

    • SSDEEP

      3072:KpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DMXVMK8m:KpKyPeadLaz+k0zn1j7rZeqGbHfNcckd

    Score
    10/10
    formbookguloadermo46downloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks