Overview

overview

10

Static

static

NEW PO.exe

windows7-x64

1

NEW PO.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEW PO.exe

  • Size

    1.1MB

  • Sample

    220809-paay5shhhn

  • MD5

    5b9d5dd439a7ed7bfc4fb62a17d04b4d

  • SHA1

    ee8ac089fbf4f09861dc06b2298469eca12a9ac7

  • SHA256

    7d5c7b03dcc7496b6dfb7f5726b3901d48da7ed3dd8e6d171db278e7ba9902b0

  • SHA512

    a17b947492ecd61d20cb49015d445a9a88b588f6333f2841a64da1040a0cf949035e0e452c9a945fffa46baa61ad3a2eae17c13093f1c5fd7c58cd3e7caba74b

Score
10/10
formbookmodiloaderd27epersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d27e

Decoy

lilysbusride.com

cloud-sechs.com

danpro.co.uk

wendoortech.com

playgroundrebellion.com

betventures.xyz

digimediasolution.net

abrahambetrayedus.com

whinefree.com

realeurolicence.com

makelovetrip.com

damediaagency.com

pinaralsan.com

5bobitw.com

shootingkarelia.online

website-staging.pro

manassadhvi.online

bathroomandkitcenking.com

realtormarket.net

dfysupport.com

Targets

    • Target

      NEW PO.exe

    • Size

      1.1MB

    • MD5

      5b9d5dd439a7ed7bfc4fb62a17d04b4d

    • SHA1

      ee8ac089fbf4f09861dc06b2298469eca12a9ac7

    • SHA256

      7d5c7b03dcc7496b6dfb7f5726b3901d48da7ed3dd8e6d171db278e7ba9902b0

    • SHA512

      a17b947492ecd61d20cb49015d445a9a88b588f6333f2841a64da1040a0cf949035e0e452c9a945fffa46baa61ad3a2eae17c13093f1c5fd7c58cd3e7caba74b

    Score
    10/10
    formbookmodiloaderd27epersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks