Overview

overview

10

Static

static

1

Arrival No...DF.vbs

windows10-1703-x64

8

Arrival No...DF.vbs

windows10-2004-x64

10

Arrival No...DF.vbs

windows11-21h2-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c40b2c40c1c0e82ecb066104d4208dad25f3af04dff98a9463cfe5ed82707ef4.rar.danger

  • Size

    10KB

  • Sample

    240808-qqv5patgjm

  • MD5

    39ece005776ab966c79c69e21f621f48

  • SHA1

    7762bedabdac482cc79c88a58366e1ca5987ba33

  • SHA256

    c40b2c40c1c0e82ecb066104d4208dad25f3af04dff98a9463cfe5ed82707ef4

  • SHA512

    d55a6e9da62048057e246c7c27e645b2cc0980d8d5e776d1cd5d96751e4785c28d9099c22c07bfcce76279318400db596525519fdeee12fc585b09eefe89dceb

  • SSDEEP

    192:jTtq5OFRA9ey3W4ZPPFkwdP/d7QGDa5L0kN3ExPx/Z+piK+ylFPUwYKMsaOKd:3tju9ey/ZSwp17QGm5Qo3sPMtz1MH

Score
10/10
formbooksy52credential_accessdiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sy52

Decoy

wxxj.asia

emu-oil.online

theprogressiontalks.com

saigonvape.com

cb257.pro

inucana.com

xn--pdr89n.vip

vtc.bzh

connexionsink.com

mastersofthevibes.com

mallsetuae.shop

bellaandbling.com

wagi88.one

273618.bid

japanvietnam-mall.com

lkd1t.rest

oflgjgiq.xyz

calliblography.com

idz8u.vip

marrybears.com

Targets

    • Target

      Arrival Notice_AWB 4560943391_PDF.vbs

    • Size

      29KB

    • MD5

      592e05d52785ac7ce91bedee1bed070a

    • SHA1

      fd7c461e71a467deaff4ef320482685347077943

    • SHA256

      ff3261173380df6010b5f2fec463df92180220c8ae6631637937b097b73af3f1

    • SHA512

      def9b1a31ccaa1942d7e0b0de4949bc94216aaf17622ec2de9c90b30e9cf50ae658da07e428985ae5a0aed60f9913937ed5fce5747d0ae61703894afbf3dc9c4

    • SSDEEP

      384:YzMKK76JtZpa/CQnG5daT7K5NV3mMEMRtkRExJ:YzMKHJtZpa/lnZT2NxmMzk6

    Score
    10/10
    discoveryformbooksy52credential_accesspersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks