Overview

overview

10

Static

static

f97e137e_b...is.exe

windows7_x64

10

f97e137e_b...is.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f97e137e_by_Libranalysis

  • Size

    804KB

  • Sample

    210504-g9qhgq4136

  • MD5

    f97e137e249bb393fd88b7dec1ddf9a2

  • SHA1

    09e3865d681b8670aa9a1ef184c06ca40927d94c

  • SHA256

    2f2c77d7bcd0fbf80b63b7b2e60b8192130c285bce2f946f021dee83954254e6

  • SHA512

    de554f995d7d94be652f0e5eb430745fa1329ed06d216b0b107c330831155d737fde91bd74835c3c6bdbf713fa16744fc555a922722886f5aaeb4d65fb0fa014

Score
10/10
formbookmodiloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.joomlas123.info/3nop/

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Targets

    • Target

      f97e137e_by_Libranalysis

    • Size

      804KB

    • MD5

      f97e137e249bb393fd88b7dec1ddf9a2

    • SHA1

      09e3865d681b8670aa9a1ef184c06ca40927d94c

    • SHA256

      2f2c77d7bcd0fbf80b63b7b2e60b8192130c285bce2f946f021dee83954254e6

    • SHA512

      de554f995d7d94be652f0e5eb430745fa1329ed06d216b0b107c330831155d737fde91bd74835c3c6bdbf713fa16744fc555a922722886f5aaeb4d65fb0fa014

    Score
    10/10
    formbookmodiloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks