formbook | 45f838f47dc31fd3130e5fc24591a7c59e40bd300a8c093efa8ba503b77d91be | Triage

Submit
Reports

Overview

overview

Static

static

1

6897445707...07.exe

windows7-x64

6897445707...07.exe

windows10-2004-x64

6897445707...it.pdf

windows7-x64

1

6897445707...it.pdf

windows10-2004-x64

1

Sharing

General

Target

9bf581ad524054d013182339682f1ad3
Size

463KB
Sample

221004-x2fbyacac6
MD5

9bf581ad524054d013182339682f1ad3
SHA1

e2034bb82eacd863ae310d493327e1e32321f261
SHA256

45f838f47dc31fd3130e5fc24591a7c59e40bd300a8c093efa8ba503b77d91be
SHA512

c3f7b938ab5f2a3ddfc2266011b183751e039a6995c094d1404c003ff29220b29c3ebf24dd44004438dbb647b679d127b311e9860b6d0a67d7bbe1e459e1ecf4
SSDEEP

12288:MJf8FU3tEBYJJVx7BY18Y8NactaJIwQip+jVdp:MJf8gEyJJVx2+acRR

Score

10^/10

formbook modiloader xloader od65 loader persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6897445707/6897445707.exe

Resource

win7-20220812-en

formbook modiloader od65 persistence rat spyware stealer trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

6897445707/6897445707.exe

Resource

win10v2004-20220812-en

formbook modiloader xloader od65 loader persistence rat spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Behavioral task

behavioral3

Sample

6897445707/terms_conditions_of_carriage_it.pdf

Resource

win7-20220812-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral4

Sample

6897445707/terms_conditions_of_carriage_it.pdf

Resource

win10v2004-20220812-en

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

od65

Decoy

oMDl7+9m1JtQ+KJ//bSZYk7C

0nQRVuikEsWM9KcRhRk=

VXATJsbZt/OyEi6Z0Y9m9O4=

C8ZitXuEXIk613jZWQ==

4IIRKYI2mygmEr7EUhOuiEZ1ux4c

x3mNjz4y4M20lnKM1I9m9O4=

UGB//3QuqmDHeDQ=

2H5k5/UwHEwPv2G+Sg==

xHh+uLvyCnZdPo0YXdyEe+ZowQ==

MMGT27gl8VFJ

pLA/Ve3++kcn1lhn6dDmhI2KGzfKNYU=

Ic/vJ/dG0uDhkYblI6XXFL0SN8cDrZP5

MfKDkw/woqFDCabB0YIs

IsDCzc1GuJOGdqX4CgCAPA==

bROVz2hP/wgV9/eGkw4=

cyM+htBboyUeyj0qbuqNTrhX9gJF/6fx

Q+MDF9cCCn8pkyU5y7fmPwYagMMGB7jx

Ve57nDZMRqeXP+V+0IMu

vmJrjeIXWfXWuZbB0YIs

5qVAfUZyi/sC13jZWQ==

NmiU4T7nYX0x6fJ17a7PmWhcKMo=

kK5LUcCAJDHshaFEyMHsNeY=

lEpmo6kl8VFJ

6ATMHDa/DINAdiQK

jz5XhZL2PduGNO3G1I9m9O4=

mSNB1J9zci/VNA==

kFbzCVDrQfnCIJ3B0YIs

rEbD53hwVJVAdiQK

1/CK163mEa121kAkZ+uepxeS2A==

+7Pf7bMl8VFJ

Yoo5bumqT1JkTAfX7WBW4dS1HxOyQI8=

QvYSNwovL5GCLJ/B0YIs

DbvE7/JDRHtDtMho964n8K+G9kJWDw==

fpYkThtoqmVaQFSr9reCuWNcKMo=

ypArNtTty9bVr5iDvT/krGDY9kJWDw==

oFxwvv960JOOdHdKhgQ=

OekWK+T36z8KvvNYc96ZYk7C

ROzyNHcCYAatZ3dKhgQ=

cAilwxjge2RVMvbdayeziEd1ux4c

c5pFdQLkm5KCMzKO49KFe+ZowQ==

LuQJSmTNDa1hy15zb+1raE/K

bxgjYmy721xxWu/EFcdnbnHY9kJWDw==

SuTqDReY670tjxIYK5+sMOUCacI=

ikDS/oh6ci/VNA==

APP7L4APbAOuA6cRhRk=

LtQACYFEwW7ukPnIHwY=

D0VpdXnS6WYQzOOBlUqz6ug=

9g+Y3/JjpTAsDKrB0YIs

/axBa+KWIAOmGivACgCAPA==

UBIsXW3MBoBAdiQK

JMsqt8+XMzPjTjN/hgCSk0jds3MDrZP5

fDKszl1ICyHbOCiN0Y9m9O4=

bngDHcvMrfbGNBW18oQ7

aAoYNzuo+6ZRAfeGkw4=

Rf0SWbRc1Icx4Zl0jA1CikZ1ux4c

43KMu4R9ci/VNA==

lMRjo4rXA5deyks2gPZiM/dxds4DrZP5

x2nqBJyXVVxmFhevNe14e+ZowQ==

LNJ8gpABQ9bxzxCc6KeZYk7C

IbZEawkiHmMnmHva+XQW2pMWZojCvPsrJw==

i7hBQNDFgYWGOjfCCgCAPA==

7pQtM3QdlFocB6OSRA==

WWV4rPrDeouLe0TUUw==

fgckl1Utr2DHeDQ=

astrobudka.net

Extracted

Family

xloader

Version

3.8

Campaign

od65

Decoy

oMDl7+9m1JtQ+KJ//bSZYk7C

0nQRVuikEsWM9KcRhRk=

VXATJsbZt/OyEi6Z0Y9m9O4=

C8ZitXuEXIk613jZWQ==

4IIRKYI2mygmEr7EUhOuiEZ1ux4c

x3mNjz4y4M20lnKM1I9m9O4=

UGB//3QuqmDHeDQ=

2H5k5/UwHEwPv2G+Sg==

xHh+uLvyCnZdPo0YXdyEe+ZowQ==

MMGT27gl8VFJ

pLA/Ve3++kcn1lhn6dDmhI2KGzfKNYU=

Ic/vJ/dG0uDhkYblI6XXFL0SN8cDrZP5

MfKDkw/woqFDCabB0YIs

IsDCzc1GuJOGdqX4CgCAPA==

bROVz2hP/wgV9/eGkw4=

cyM+htBboyUeyj0qbuqNTrhX9gJF/6fx

Q+MDF9cCCn8pkyU5y7fmPwYagMMGB7jx

Ve57nDZMRqeXP+V+0IMu

vmJrjeIXWfXWuZbB0YIs

5qVAfUZyi/sC13jZWQ==

NmiU4T7nYX0x6fJ17a7PmWhcKMo=

kK5LUcCAJDHshaFEyMHsNeY=

lEpmo6kl8VFJ

6ATMHDa/DINAdiQK

jz5XhZL2PduGNO3G1I9m9O4=

mSNB1J9zci/VNA==

kFbzCVDrQfnCIJ3B0YIs

rEbD53hwVJVAdiQK

1/CK163mEa121kAkZ+uepxeS2A==

+7Pf7bMl8VFJ

Yoo5bumqT1JkTAfX7WBW4dS1HxOyQI8=

QvYSNwovL5GCLJ/B0YIs

DbvE7/JDRHtDtMho964n8K+G9kJWDw==

fpYkThtoqmVaQFSr9reCuWNcKMo=

ypArNtTty9bVr5iDvT/krGDY9kJWDw==

oFxwvv960JOOdHdKhgQ=

OekWK+T36z8KvvNYc96ZYk7C

ROzyNHcCYAatZ3dKhgQ=

cAilwxjge2RVMvbdayeziEd1ux4c

c5pFdQLkm5KCMzKO49KFe+ZowQ==

LuQJSmTNDa1hy15zb+1raE/K

bxgjYmy721xxWu/EFcdnbnHY9kJWDw==

SuTqDReY670tjxIYK5+sMOUCacI=

ikDS/oh6ci/VNA==

APP7L4APbAOuA6cRhRk=

LtQACYFEwW7ukPnIHwY=

D0VpdXnS6WYQzOOBlUqz6ug=

9g+Y3/JjpTAsDKrB0YIs

/axBa+KWIAOmGivACgCAPA==

UBIsXW3MBoBAdiQK

JMsqt8+XMzPjTjN/hgCSk0jds3MDrZP5

fDKszl1ICyHbOCiN0Y9m9O4=

bngDHcvMrfbGNBW18oQ7

aAoYNzuo+6ZRAfeGkw4=

Rf0SWbRc1Icx4Zl0jA1CikZ1ux4c

43KMu4R9ci/VNA==

lMRjo4rXA5deyks2gPZiM/dxds4DrZP5

x2nqBJyXVVxmFhevNe14e+ZowQ==

LNJ8gpABQ9bxzxCc6KeZYk7C

IbZEawkiHmMnmHva+XQW2pMWZojCvPsrJw==

i7hBQNDFgYWGOjfCCgCAPA==

7pQtM3QdlFocB6OSRA==

WWV4rPrDeouLe0TUUw==

fgckl1Utr2DHeDQ=

astrobudka.net

Targets

- Target
  
  6897445707/6897445707.exe
- Size
  
  839KB
- MD5
  
  381cdc135c6e06969d270fd7e754d148
- SHA1
  
  649ee25900a10b1cf567ca867489658be44a3629
- SHA256
  
  6c51e2ce3f46927b7b8bc3a559980136e6fdf05bcdf6d84294a0e64fe9adf56b
- SHA512
  
  faceefe7b56408c6e187f72871cb55fbf0e4490ce92d886189551facc7292b412dc0d49d7fa67e5e7efc061c39707c9a401b8058253e9b2ca77fa1341ca260b0
- SSDEEP
  
  24576:e7eYV4ukDeT876VCMNh39DMPsnjDIP3j:O86kqLnjDIP
Score

10^/10

formbook modiloader od65 persistence rat spyware stealer trojan xloader loader
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  6897445707/terms_conditions_of_carriage_it.pdf
- Size
  
  58KB
- MD5
  
  0de95b7f5f0d6af56941b7d2cd1b99bb
- SHA1
  
  ba9b92e111599088f10fe235dcb2bdb2cbebc489
- SHA256
  
  6d2cab86a9448e3b1e10739cdd8ae8cefd472ae80e21853ffac69b3102ed8412
- SHA512
  
  c5ce684289382283cce611ed0e123dbcebe77566605f4557a111f3411c48f6a48dea8f357d2a289c1c800cf4cbd177479ac4fcde53440a0eba94797301d3d6ef
- SSDEEP
  
  48:4YnqAc38mjHlkdS6a6vJT/KNlq7Ccxk8lXpouERArgq6C+kot4Ph4EVxcal5Ifwp:4Ync6aOJOLGO8lXNEZtks8h4EVeoAK
Score

1^/10
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookmodiloaderod65persistenceratspywarestealertrojan

behavioral2

formbookmodiloaderxloaderod65loaderpersistenceratspywarestealertrojan

behavioral3

behavioral4

© 2018-2024

Terms | Privacy