formbook

General

Target

test.jpg.exe
Size

764KB
Sample

210319-naxar2ntws
MD5

980a55049ad78b00f7a9cd35feccef70
SHA1

c550a9b12b02882ac068fce2f65f4e827c9ba1b8
SHA256

1a65d32d353149d5b310fc0ea603268baf85a66733870cc890d6558ac44a1107
SHA512

d3794e0d3108eba464236b5e9b19b3c0c472751c51ce7385425a888b00681788e85af2952190ac94e3bce80dd7f073f5d5eedc1db66683e72a4856ee8db13b98

Score

10^/10

Malware Config

Extracted

Family

formbook

C2

http://www.joomlas123.info/3nop/

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Targets

- Target
  
  test.jpg.exe
- Size
  
  764KB
- MD5
  
  980a55049ad78b00f7a9cd35feccef70
- SHA1
  
  c550a9b12b02882ac068fce2f65f4e827c9ba1b8
- SHA256
  
  1a65d32d353149d5b310fc0ea603268baf85a66733870cc890d6558ac44a1107
- SHA512
  
  d3794e0d3108eba464236b5e9b19b3c0c472751c51ce7385425a888b00681788e85af2952190ac94e3bce80dd7f073f5d5eedc1db66683e72a4856ee8db13b98
Score

10^/10

formbook modiloader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook Payload

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2