Overview

overview

10

Static

static

a1775a2476...47.exe

windows7_x64

10

a1775a2476...47.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a1775a2476e688c996883a990c5d2447.exe

  • Size

    508KB

  • Sample

    210418-a38r37dy2s

  • MD5

    a1775a2476e688c996883a990c5d2447

  • SHA1

    44f49ab707ef24b3b24c9b17da1dae2ccf7faa67

  • SHA256

    c06d84a04de7e2e2300b5a5de7e531d26e67e2f7bcaf29c34b9f15dada38f502

  • SHA512

    a4a426591faf22232b59837d53d02f9adf1ff84babee469a7a3ce831fcaccf9dd1996a3715e160495309791ef53c0e5b3424646a019895fa44eff26a8084cb46

Score
10/10
formbookmodiloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

C2

http://www.mansiobbok.info/i19/

Decoy

carolinahempandhops.com

produkdigitalstore.com

fortmargins.com

freemycall.com

duan-sceniabaynhatrang.com

aymarka.site

americanstanardtubs.com

noritzas.com

plasticprintingservices.com

nb-junhong.com

joindanbrown.com

yy319.com

techjobschicago.com

soldamed.com

rybctushu.com

139139062.com

casasychaletspamplona.com

grupohman.com

letsomelightin.com

inspiredinteriorsco.com

Targets

    • Target

      a1775a2476e688c996883a990c5d2447.exe

    • Size

      508KB

    • MD5

      a1775a2476e688c996883a990c5d2447

    • SHA1

      44f49ab707ef24b3b24c9b17da1dae2ccf7faa67

    • SHA256

      c06d84a04de7e2e2300b5a5de7e531d26e67e2f7bcaf29c34b9f15dada38f502

    • SHA512

      a4a426591faf22232b59837d53d02f9adf1ff84babee469a7a3ce831fcaccf9dd1996a3715e160495309791ef53c0e5b3424646a019895fa44eff26a8084cb46

    Score
    10/10
    formbookmodiloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook Payload

      rat

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks