General
-
Target
Orcdpfi_Signed_.exe
-
Size
2.2MB
-
Sample
201125-ghlmk64gpj
-
MD5
fe5446b7bad5ccddc411dd35a9607d77
-
SHA1
1c487b3d275a1e931cb3d10bd9a345a09dc35340
-
SHA256
1e91dc39314361fd45321a8adc28435467ad1167ee0cc646f77946b522b9efe3
-
SHA512
803bb99fa256d1e932993f6f671d22bf927e0e6fa3ad412401cb52542775c8370f7d3f4a4a74d1e8f89b7642882e0bd0c0d3392af834421cd835d2f333953e9a
Malware Config
Extracted
formbook
http://www.joomlas123.info/n7ak/
audereventur.com
huro14.com
wwwjinsha155.com
antiquevendor.com
samuraisoulfood.net
traffic4updates.download
hypersarv.com
rapport-happy-wedding.com
rokutechnosupport.online
allworljob.com
hanaleedossmann.com
kauai-marathon.com
bepbosch.com
kangen-international.com
zoneshopemenowz.com
belviderewrestling.com
ipllink.com
sellingforcreators.com
wwwswty6655.com
qtumboa.com
Targets
-
-
Target
Orcdpfi_Signed_.exe
-
Size
2.2MB
-
MD5
fe5446b7bad5ccddc411dd35a9607d77
-
SHA1
1c487b3d275a1e931cb3d10bd9a345a09dc35340
-
SHA256
1e91dc39314361fd45321a8adc28435467ad1167ee0cc646f77946b522b9efe3
-
SHA512
803bb99fa256d1e932993f6f671d22bf927e0e6fa3ad412401cb52542775c8370f7d3f4a4a74d1e8f89b7642882e0bd0c0d3392af834421cd835d2f333953e9a
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook Payload
-
ModiLoader First Stage
-
Adds policy Run key to start application
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-