Overview

overview

10

Static

static

Documento.exe

windows7_x64

10

Documento.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Documento.exe

  • Size

    865KB

  • Sample

    210806-w16642ztwe

  • MD5

    d8abd4f86a18863e236bd2f3118344f4

  • SHA1

    72f6c8df84b627ece609e249b530c2e8bba949fc

  • SHA256

    c70917b8034aedf54cf578fa9db38399a6129376bc7d06cacd6b324fed45c5a7

  • SHA512

    448371b54e18cd656d4627dfdc38fe6b32f7e5d2ef07e4b644c8a0bd016d9ba8d4240130e3124c33cbfd582cabdc4d6e38bf22b65335ded51b313cf688aa6692

Score
10/10
formbookmodiloaderkd8kpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kd8k

C2

http://www.drtimgood.com/kd8k/

Decoy

khjbhqpha.com

edukasiinvestor.com

jokysun.com

remnantfund.com

yolevin.com

namshicontrole2.com

manayikorean.site

ysy.mobi

netconzulting.com

deeparchivesvpn.com

kiemmieng.com

guptavegetables.com

walihamidullahthetraveller.com

littlehamptonacres.com

pause-to-simplify.com

famehound.com

artthatsells.net

hickorymontessori.com

enjoyitpestfree.com

linuxliang.com

Targets

    • Target

      Documento.exe

    • Size

      865KB

    • MD5

      d8abd4f86a18863e236bd2f3118344f4

    • SHA1

      72f6c8df84b627ece609e249b530c2e8bba949fc

    • SHA256

      c70917b8034aedf54cf578fa9db38399a6129376bc7d06cacd6b324fed45c5a7

    • SHA512

      448371b54e18cd656d4627dfdc38fe6b32f7e5d2ef07e4b644c8a0bd016d9ba8d4240130e3124c33cbfd582cabdc4d6e38bf22b65335ded51b313cf688aa6692

    Score
    10/10
    formbookmodiloaderkd8kpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks