formbook

General

Target

ordine.exe
Size

1.4MB
Sample

210430-w3nxj6d92x
MD5

d6b753fc740c8301a7da5ebe3f8e2df7
SHA1

47705bc6ade34ca538ddf6468f990f532ef3ee0a
SHA256

78ba1cb599b8e9e7e8a02497d3b3cbf29ff3e0cacd887fdebdb135940d50009d
SHA512

adb1eacbb6c0271e9f43651a5715148d89eb8051ac29168e3aaad1e432a4f29c91ed2bd6f389001d5f196bc7f7973aed0e9db916fe2a3ffda200174ac98d8ee5

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.joomlas123.info/3nop/

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Targets

- Target
  
  ordine.exe
- Size
  
  1.4MB
- MD5
  
  d6b753fc740c8301a7da5ebe3f8e2df7
- SHA1
  
  47705bc6ade34ca538ddf6468f990f532ef3ee0a
- SHA256
  
  78ba1cb599b8e9e7e8a02497d3b3cbf29ff3e0cacd887fdebdb135940d50009d
- SHA512
  
  adb1eacbb6c0271e9f43651a5715148d89eb8051ac29168e3aaad1e432a4f29c91ed2bd6f389001d5f196bc7f7973aed0e9db916fe2a3ffda200174ac98d8ee5
Score

10^/10

formbook persistence rat spyware stealer trojan modiloader
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook Payload

Adds policy Run key to start application

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2