formbook

General

Target

dbbd5f34648cc1a20d0022c47a6531a6.exe
Size

940KB
Sample

220920-qc8tmageep
MD5

dbbd5f34648cc1a20d0022c47a6531a6
SHA1

84bc195e56cdc6804cb987af330608ef5b173a67
SHA256

f8612ea8ab764a3d09157a9b90dc418ec2a7b8af22b29ce63d375896f9ec9a28
SHA512

6d44509bfb38afe4490034736e20dc59cd97de0a4e8cdbdddcd353f7ba5a470a1288f6a2761fa31d4c81bfdf0f6dc8cd56581e27f138e783ecea3e520d9819b3
SSDEEP

24576:xuLJQ0+ai+JoMCXlTjcEa0s4Tj29W8AoqiVNWI:xUpRx+cEa0Q

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

chof

Decoy

1UnM9v3V2HuR2iE=

B4oRF6xBBhDKMJEdaPRiEAw0

r9++/ZEvBh3jRD0FzE01EA==

8qVuosqPI0JfNJGbZ15FT4J8Ng==

83F9+6BFk45ZYEWU04g=

aFPhK8qZoK5CUsemIC+pMoA=

hHkCihi3/HESewQJvpc=

GUMdYJRn7phVzbCTl1BDFg==

aqh5D/PNZYKH3xjDlAoz

P7NS0gXlNFVl

tS/FQFfydoZW6R2I

249T0dBwbVJp

7qNui6I3hCL3vpf5UgKVL+po4YZw

6A/tRMtieCQf/TMU1/8pJbScylADQJRwXA==

b6N1CLSByGdvSIFl6KkVYOlmEoA=

HNGX1Q3YXPxV7ceaT0w/T4J8Ng==

WwvO/0jw8ICLWo9w860VYelmEoA=

Mfa58tV8e9xs5FfhMi+pMoA=

ZOB69iIBTXJ2

EUENQq5AXeCoh8TO0BI5T4J8Ng==

Targets

- Target
  
  dbbd5f34648cc1a20d0022c47a6531a6.exe
- Size
  
  940KB
- MD5
  
  dbbd5f34648cc1a20d0022c47a6531a6
- SHA1
  
  84bc195e56cdc6804cb987af330608ef5b173a67
- SHA256
  
  f8612ea8ab764a3d09157a9b90dc418ec2a7b8af22b29ce63d375896f9ec9a28
- SHA512
  
  6d44509bfb38afe4490034736e20dc59cd97de0a4e8cdbdddcd353f7ba5a470a1288f6a2761fa31d4c81bfdf0f6dc8cd56581e27f138e783ecea3e520d9819b3
- SSDEEP
  
  24576:xuLJQ0+ai+JoMCXlTjcEa0s4Tj29W8AoqiVNWI:xUpRx+cEa0Q
Score

10^/10

modiloader trojan formbook chof persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

ModiLoader Second Stage

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2