formbook

General

Target

neue Bestellung pdf.exe
Size

513KB
Sample

210329-515esc4ann
MD5

250b3b54f46fb6d993fae87660e4249b
SHA1

e6c10e1dfc2fec4685bdea8d8662a388e934b747
SHA256

c771c0417fcf76bac5cb23d5213338c6c8f8b381f6744a7619feb36edec1dacb
SHA512

95f17a91a88e29b821106180c8eacf5b4732a4a647b05ca96fc6fcdf68ed43e0ecadad6d918360143db8c6239f54ffcb07d2bef82f11dda35465579af0373436

Score

10^/10

Malware Config

Extracted

Family

formbook

C2

http://www.joomlas123.info/n7ak/

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

Extracted

Family

remcos

C2

bitcoinpage.dynu.net:2404

Targets

- Target
  
  neue Bestellung pdf.exe
- Size
  
  513KB
- MD5
  
  250b3b54f46fb6d993fae87660e4249b
- SHA1
  
  e6c10e1dfc2fec4685bdea8d8662a388e934b747
- SHA256
  
  c771c0417fcf76bac5cb23d5213338c6c8f8b381f6744a7619feb36edec1dacb
- SHA512
  
  95f17a91a88e29b821106180c8eacf5b4732a4a647b05ca96fc6fcdf68ed43e0ecadad6d918360143db8c6239f54ffcb07d2bef82f11dda35465579af0373436
Score

10^/10

formbook modiloader persistence rat spyware stealer trojan remcos
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

ModiLoader, DBatLoader

Remcos

Formbook Payload

Adds policy Run key to start application

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2