formbook

General

Target

muestras de productos pdf.exe.xz
Size

422KB
Sample

221010-l7htgabfbm
MD5

fcf9f7fcd5c0914e6b25ae632882aecf
SHA1

dc49638623525f97f6e0ed699ca8843875cd1dd2
SHA256

8d611e8f9615ccc5629292e10475121e3cd6598dfa30f7705315e8ca99e641a2
SHA512

f1acd58743ceb0272fb76f4f94f7862b8a30981886a66d5adac0f28948013f7fe7557103fcaf6f7e0a3fca9dc76c10200e5fe8e0a8598cb3dbd26f7f66019340
SSDEEP

12288:SjitLHs6+ru66lTWaO7jQG7sKNPKUt4HHX2R8gjipqJ8ySEX:SWt43ruRJMXxSo6mR8gjniySG

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

- Target
  
  muestras de productos pdf.exe
- Size
  
  977KB
- MD5
  
  e8055021bc8341f5a008c14ad2550890
- SHA1
  
  90b08b9bde911152cc89475a0bed6acdbaa518a8
- SHA256
  
  27d32b2af6392daaa9d08da8dec30cf109e82da5778ab1c7db87be3c8cc91502
- SHA512
  
  c183bbdcccb0b9cd0e9fb31202dc1b1c9beaf2bc2edc150b9bfb219cceeb208a592b46a806293c6e22b35e1ac908666050d9352c63779a2f0bc0aeb5bf24125b
- SSDEEP
  
  24576:KatTADYIErC0I2D3QauLMMQUtVSn52Ao:KtxnLy+Sn52A
Score

10^/10

modiloader trojan formbook kmge persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Blocklisted process makes network request
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Blocklisted process makes network request

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2