formbook | 383d80ef71e1bd484b6838e3c89eebca3bea49ef0648d3a79564c87aa6ddc00f | Triage

Submit
Reports

Overview

overview

Static

static

December SOA.exe

windows7_x64

December SOA.exe

windows10_x64

Sharing

General

Target

December SOA.exe
Size

631KB
Sample

210104-nk9plhnmn2
MD5

eeb02ab3b51a522164e83aafa98494e3
SHA1

c140ae8539c87fd77cba97f725756a71d25ded84
SHA256

383d80ef71e1bd484b6838e3c89eebca3bea49ef0648d3a79564c87aa6ddc00f
SHA512

44a467a7886bd38e776769d1b6f2bcf286d57c2ea0492edfb204d3dcc5c7edae5c5585bad7ae354a1c51db91754ebfbba4ef03e43a6cd56288630228296376b4

Score

10^/10

formbook modiloader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

December SOA.exe

Resource

win7v20201028

formbook modiloader persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

December SOA.exe

Resource

win10v20201028

formbook modiloader persistence rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

C2

http://www.plantbasedtransporter.com/m98/

Decoy

anesbensghair.com

crewsquid.com

thetekapp.com

africaisin.com

dodailyworkout.com

al-sultangate.com

aliciafowens.com

bbluebelt3dwdbuy.com

qjpay.pro

emotionalgun.club

guapasnatural.com

myessentials2020.com

cw-mag.com

petrousd.com

byyter.com

hima-tubusi.com

chapelcouture.com

thehollowcause.site

moskovganteng.com

2024project.com

olenfex.com

caiyisan.com

1d2g3m.com

aronaw.com

frontierautoglasslockport.com

pay-misfeel.com

noemiluquerodin.com

860703.com

management-h2g.com

chinadrac.com

click2hr.com

turf-safe.com

siltect.com

ash3ntv.com

carinsurably.com

saamacapital.com

bruceeng.com

agenciaebano.com

moscowcity.business

yogapants.xyz

lagoseyecenter.com

forccartex-tw.com

mytravel.travel

support-login-online.network

drinksbyfuego.com

quicksigningdoc.com

mikmake.net

sineflik.com

ekreysert.com

lifeinspiredgifts.com

ezpassnny.com

diskrab.com

masterbrandcabinetry.com

cosplaymaroc.com

xr3m.com

lakecharlesloan.com

parcelwolf.com

hellosunnyco.com

misery-indexrain.com

mysweetdreamsart.com

rothretirementsolutions.com

conecsa.group

onlinepedidos.com

learnstartupdesign.com

Targets

- Target
  
  December SOA.exe
- Size
  
  631KB
- MD5
  
  eeb02ab3b51a522164e83aafa98494e3
- SHA1
  
  c140ae8539c87fd77cba97f725756a71d25ded84
- SHA256
  
  383d80ef71e1bd484b6838e3c89eebca3bea49ef0648d3a79564c87aa6ddc00f
- SHA512
  
  44a467a7886bd38e776769d1b6f2bcf286d57c2ea0492edfb204d3dcc5c7edae5c5585bad7ae354a1c51db91754ebfbba4ef03e43a6cd56288630228296376b4
Score

10^/10

formbook modiloader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookmodiloaderpersistenceratspywarestealertrojan

behavioral2

formbookmodiloaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy