Overview

overview

10

Static

static

6b0d42e53e...in.exe

windows7_x64

10

6b0d42e53e...in.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    68e57e40_by_Libranalysis

  • Size

    369KB

  • Sample

    210427-hzznp91t8n

  • MD5

    68e57e40a02422952bcf80ff9060fd94

  • SHA1

    ee97d7a7ae67ffe2b1dd81fd97dfb8e15bc89ccd

  • SHA256

    9feb7414280bad0f1e0f02031664a91f6ddebfc44a94a134d1872ba972339c57

  • SHA512

    cbc40ecd906c42eb50dac1edabd7a904881eb65d86b70798245941e5ee8d1c029f099c1de97edc96d6d413f61c077dc111e628cd317a4a443d04ec20255964e5

Score
10/10
formbookmodiloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.joomlas123.info/3nop/

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Targets

    • Target

      6b0d42e53e09e8e294cdc18c507dac165293e73b2390f9185fae69583b85da2c.bin

    • Size

      827KB

    • MD5

      497f2a0c89b276b83c1a4f75e4b66593

    • SHA1

      ff8db77137f693446d74a4bbac6e685805ba3e0c

    • SHA256

      6b0d42e53e09e8e294cdc18c507dac165293e73b2390f9185fae69583b85da2c

    • SHA512

      650fc01d3ca30611971169bd2141a12b77cf3907bb6686b37638bb42dd74f9736354250eb7e7b8d2b239cd96854b5b7d3ab977aecbf0f371f4f574cffba7a920

    Score
    10/10
    formbookpersistenceratspywarestealertrojanmodiloader

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks