Overview

overview

10

Static

static

ce60eac995...fb.rtf

windows7_x64

10

ce60eac995...fb.rtf

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ce60eac9955b4024e75b0fe7c3f5114c75c6beec8d5da1d1b0341659fdaacffb.doc

  • Size

    925KB

  • Sample

    220706-tsrrtsegbm

  • MD5

    ded902874fc3f5a79fef983cff9f4b3d

  • SHA1

    61e28a4ae7d38458abd251a202a21ea31af2c264

  • SHA256

    ce60eac9955b4024e75b0fe7c3f5114c75c6beec8d5da1d1b0341659fdaacffb

  • SHA512

    1421b04298497abc59ee034633d70660ff11d603ab8bbf7e214bde4d0515e82bb68554f96b0eb9f25263762c817138c2b4d832cc6fdfc2acd77146529f6e2ede

Score
10/10
formbookmodiloaderpo23ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

po23

Decoy

jacknull.xyz

commonellc.com

topnotchconstructor.com

thescienceofrecruiting.com

bellydancer.company

iforyo.com

hotgirlsseeking24.online

pelleycivil.com

plumblersnearme.com

helpfundabortionohio.com

wineandview.com

youfather.xyz

xsjxly.com

bnfconsults.com

apeholder.com

oldbutterflyevict.space

nara-happylife.com

frontmountedattachments.com

polizzastore.com

bettor-weather.com

Targets

    • Target

      ce60eac9955b4024e75b0fe7c3f5114c75c6beec8d5da1d1b0341659fdaacffb.doc

    • Size

      925KB

    • MD5

      ded902874fc3f5a79fef983cff9f4b3d

    • SHA1

      61e28a4ae7d38458abd251a202a21ea31af2c264

    • SHA256

      ce60eac9955b4024e75b0fe7c3f5114c75c6beec8d5da1d1b0341659fdaacffb

    • SHA512

      1421b04298497abc59ee034633d70660ff11d603ab8bbf7e214bde4d0515e82bb68554f96b0eb9f25263762c817138c2b4d832cc6fdfc2acd77146529f6e2ede

    Score
    10/10
    formbookmodiloaderpo23ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • ModiLoader Second Stage

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks