Overview

overview

10

Static

static

Lista de n...os.exe

windows7_x64

10

Lista de n...os.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Lista de nuevos pedidos.exe

  • Size

    825KB

  • Sample

    210331-vve22gtwjn

  • MD5

    3dc09b272c666a298915d94e612f4763

  • SHA1

    6621d15852fcb35f2438481691da07c82cf8f62f

  • SHA256

    c32dee06d3afee022d74b45536699ed2d6458d39dff35d4830cb9febecdb8143

  • SHA512

    e303bfdc04ba3a9f3e3a9e718018eb6c871935ce8869a9ff99260268ca0daecee56995d79d96d6e1841d41a2f17f8544f3a4c6a4ae1f08b0f686440d2b69b92d

Score
10/10
formbookmodiloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.joomlas123.info/3nop/

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Targets

    • Target

      Lista de nuevos pedidos.exe

    • Size

      825KB

    • MD5

      3dc09b272c666a298915d94e612f4763

    • SHA1

      6621d15852fcb35f2438481691da07c82cf8f62f

    • SHA256

      c32dee06d3afee022d74b45536699ed2d6458d39dff35d4830cb9febecdb8143

    • SHA512

      e303bfdc04ba3a9f3e3a9e718018eb6c871935ce8869a9ff99260268ca0daecee56995d79d96d6e1841d41a2f17f8544f3a4c6a4ae1f08b0f686440d2b69b92d

    Score
    10/10
    formbookmodiloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks