General
-
Target
RFQ Order PT502818.xls.vbs
-
Size
13KB
-
Sample
250326-qemdeav1dv
-
MD5
2bd4b9968087610996ce5ebf4d54daf7
-
SHA1
765b890da74d5abefcee81d348eca4b02532bb63
-
SHA256
bd3a12a40c2387cebef93cb3030ebcf879e43683424069898e5a0053100787fa
-
SHA512
3b8f414b02842bc1216bd59b442cbf9f0292bb8aa083f37d8e6c624500e1688cb9159d69481f5da86733a5db90ed7f5b21e91e51a151fe6b274ba2b9b10f0b9f
-
SSDEEP
192:UK222222222222222EBtqYtYzXpo490mqLOqx9dtE17cyv4wCxe1evzzR9pzhycK:NtOAdso8arZFmcZ80f2N
Malware Config
Extracted
formbook
4.1
mtpi
jpsjlpszv1emibow.cyou
iyfeszfot8zdkmkb.cyou
adutils-e2e-test3-4357742.zone
protecttech.shop
atneb.autos
exclusivepiscinas.net
jan-aadhaar.shop
absorbalineraquatic.cloud
warehouse-092.today
authme.now
lekido.tech
etimestrips.store
astilbeastiteaubades.cloud
5335588a59.buzz
nw01erf.pro
tokenpool.xyz
b2cstore.net
emiuniv.online
yylmhzt.xyz
jessicabyheart.store
Targets
-
-
Target
RFQ Order PT502818.xls.vbs
-
Size
13KB
-
MD5
2bd4b9968087610996ce5ebf4d54daf7
-
SHA1
765b890da74d5abefcee81d348eca4b02532bb63
-
SHA256
bd3a12a40c2387cebef93cb3030ebcf879e43683424069898e5a0053100787fa
-
SHA512
3b8f414b02842bc1216bd59b442cbf9f0292bb8aa083f37d8e6c624500e1688cb9159d69481f5da86733a5db90ed7f5b21e91e51a151fe6b274ba2b9b10f0b9f
-
SSDEEP
192:UK222222222222222EBtqYtYzXpo490mqLOqx9dtE17cyv4wCxe1evzzR9pzhycK:NtOAdso8arZFmcZ80f2N
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Formbook payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-