formbook

General

Target

T31597760-Confirm-20220928-100016-Email-1574408.exe
Size

703KB
Sample

221003-zve4psfdbm
MD5

0871cbfa8ce408ea52b756e11393d2e3
SHA1

8f751a63377498c1f4d0e4f619f573a96a978ec9
SHA256

bb95ccaab5ce2f87f0fc110601b059f67425defa9ebcbaa4b106fc763a477f7c
SHA512

1a5a9c95d483d2f91df63e5c57962c72eed0b20f4576b3dbbbeefd2a1fc20ae04056e72688f7b6f4c8ddff21d7599370f72cb6eb88f5708b5b77bca00a6dbfed
SSDEEP

12288:ybOmOriMiEDW9a4nrpUbOrRL7e+ax+6m23m23mo26pbZeZr:yiprmEDWM4nCyrxi+ax+6m23m23mSpbc

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

2dou

Decoy

/OEd9KnwK/iP

zlyDQht5zbJFuAXSIdTUjw==

kDYUq8UfDwCluA34CDyS

7HZOV1qT4rFI5mpJrcnoWVc=

nnBRxMHdw4wosAXSIdTUjw==

sdQ/2s4XC8g0MFFBBEfViR1V

oHDnk6LHnHUHiwsLn33GBcm+egCb

yV2U0Zf13bN3D3x7Df9++fDhF7CILTul

cUbD5d4TmWcGB+BgyA==

Kky9XlCLiTQfNUk1/zQ=

ejVhmGLOqY9fiNPrefZMfFM=

lVvGdVA2G/K9r8Bdwg==

Gj+ogjaA9c92ElYsqMnoWVc=

9yiEqVFDpWT9JJ/cfNrPhw==

j2DBby8l6rlNV1HhxqOa

jJoCUeXDOwrETLssvPAFS1E=

kTJX5Y2Uj2U13OlkcUguJN+eCqGILTul

VQTbC33cwRTrePw=

JhV0w4/tyLmFrur+5EHViR1V

DyZj5vhGPxKtdLzixvlTWFHQU6hIAk2mWw==

Extracted

Family

xloader

Version

3.5

Campaign

2dou

Decoy

/OEd9KnwK/iP

zlyDQht5zbJFuAXSIdTUjw==

kDYUq8UfDwCluA34CDyS

7HZOV1qT4rFI5mpJrcnoWVc=

nnBRxMHdw4wosAXSIdTUjw==

sdQ/2s4XC8g0MFFBBEfViR1V

oHDnk6LHnHUHiwsLn33GBcm+egCb

yV2U0Zf13bN3D3x7Df9++fDhF7CILTul

cUbD5d4TmWcGB+BgyA==

Kky9XlCLiTQfNUk1/zQ=

ejVhmGLOqY9fiNPrefZMfFM=

lVvGdVA2G/K9r8Bdwg==

Gj+ogjaA9c92ElYsqMnoWVc=

9yiEqVFDpWT9JJ/cfNrPhw==

j2DBby8l6rlNV1HhxqOa

jJoCUeXDOwrETLssvPAFS1E=

kTJX5Y2Uj2U13OlkcUguJN+eCqGILTul

VQTbC33cwRTrePw=

JhV0w4/tyLmFrur+5EHViR1V

DyZj5vhGPxKtdLzixvlTWFHQU6hIAk2mWw==

Targets

- Target
  
  T31597760-Confirm-20220928-100016-Email-1574408.exe
- Size
  
  703KB
- MD5
  
  0871cbfa8ce408ea52b756e11393d2e3
- SHA1
  
  8f751a63377498c1f4d0e4f619f573a96a978ec9
- SHA256
  
  bb95ccaab5ce2f87f0fc110601b059f67425defa9ebcbaa4b106fc763a477f7c
- SHA512
  
  1a5a9c95d483d2f91df63e5c57962c72eed0b20f4576b3dbbbeefd2a1fc20ae04056e72688f7b6f4c8ddff21d7599370f72cb6eb88f5708b5b77bca00a6dbfed
- SSDEEP
  
  12288:ybOmOriMiEDW9a4nrpUbOrRL7e+ax+6m23m23mo26pbZeZr:yiprmEDWM4nCyrxi+ax+6m23m23mSpbc
Score

10^/10

formbook modiloader xloader 2dou loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

ModiLoader, DBatLoader

Xloader

ModiLoader Second Stage

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2