formbook

General

Target

85ba889a32a7f05f10259b60b5b99489392865c025978171d93c9074a7cdb84f
Size

936KB
Sample

221012-t24srabfeq
MD5

4e88286476d26cead4caafb1231ec062
SHA1

e7051669e96f7c80b8affc1554d0fa6e9fad5117
SHA256

85ba889a32a7f05f10259b60b5b99489392865c025978171d93c9074a7cdb84f
SHA512

06de3ec1d5d4f018b8ce9af031c2c37f89e09bd6c49b3a33f774a7bcb00ef3160906b4a8fcc3a93d1b5324bb05c2c4e57ebe6776524125c57585f790452b9e23
SSDEEP

24576:J6K2h1iVrItFQWGKN+NXN40JIyLrFHDvk:J6K286n+NXmWb1j

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

g2vp

Decoy

vz0+DrD922K7

V5ZNAytMxUPisN5i

Vybph6lLcYZKp1DCPg==

9G7+3oNwb8g=

rLSpOybMkJg7zg==

Waxl6QhHkJg7zg==

+VcesNB/gWPH7f6OTx5TCsmQIQ==

qY1JBTFp78tVa0NoY1fRgA==

mJBPbgYFyiyi

Kn4x3wYykJg7zg==

HV4LyfYgnoBkBmjQjDE/6Jc=

5fztl7/4km4ft/A49wgjlw==

WhORUSjYSG8/0w==

q2odpxEmGy8jOSM=

mpiaKMwZKWwQKhpFAme9mu7WNg==

SlBF07lCZ3AiZF2iIZUnCQnqtvnqXBA=

qigcpxO2PpxU7ClaJovhvToKClAYexg=

4nBYD4adzkTisN5i

WKleKtX1IotJ3QxT2vUkq4o=

yE5P+SVt40XisN5i

Targets

- Target
  
  85ba889a32a7f05f10259b60b5b99489392865c025978171d93c9074a7cdb84f
- Size
  
  936KB
- MD5
  
  4e88286476d26cead4caafb1231ec062
- SHA1
  
  e7051669e96f7c80b8affc1554d0fa6e9fad5117
- SHA256
  
  85ba889a32a7f05f10259b60b5b99489392865c025978171d93c9074a7cdb84f
- SHA512
  
  06de3ec1d5d4f018b8ce9af031c2c37f89e09bd6c49b3a33f774a7bcb00ef3160906b4a8fcc3a93d1b5324bb05c2c4e57ebe6776524125c57585f790452b9e23
- SSDEEP
  
  24576:J6K2h1iVrItFQWGKN+NXN40JIyLrFHDvk:J6K286n+NXmWb1j
Score

10^/10

modiloader trojan formbook g2vp persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

ModiLoader Second Stage

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2