formbook

General

Target

SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe
Size

719KB
Sample

221124-rvpzxadh4v
MD5

05f703e7a42a6c540c9d5c815eb17f88
SHA1

2fc5a59e412216cba76eb7fa122478bec8c2d125
SHA256

0fd7b17afcfaa921522141380792c3105ec20547c795a21c2eb0810c82e7e5e2
SHA512

8f7eca2be01bb273b7e18644b02d9358725baf3bd1d51919899226ac8e1a7b8050d018f0af72341eb4aa092150537f151f303513c92305d1dc44e5741bd1c6b0
SSDEEP

12288:HbAOmbLGin3WhvyX2GahiJ9//4BsEOeNOVOYPmMi0fq1r:HbPsLV3WhKX2GF///MsEfAVOKmMi0fM

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

t3qw

Decoy

cmv2ztfryZrE+3A/E6XVJY/zH13snw==

znM2r24wvyjMBxCX

RH+7M2Ut6PYms2mB6ho=

ZlPRueq+YTIhbwootBU3h8T3H13snw==

cVz99xUsBqvFN6B45U9nio0=

BXU3DIrcdhs2gNyk+lCCIoY=

uzBaz3kYIIMfK6V0Mr9FnhdNPg==

8rOZ/v+7fprLI6NzR+6HJl7EH13snw==

Pr2Wev5P6jlqWCiehQ==

dbzaPc5eWb5zVCPsyrU/

IeLgUQI37HLkFgKO

4xt3Y4yVega6l2LuLk5aovIhhLU=

2QdkbxFB8tkDMkQEyqg1

X1OV8wH0+lwCBwvIciO7Ug==

lYIX+/YAFhbMBxCX

DoxOV/qIixyT+HME6yyvTw==

GAuVkyRmIgwqdeGgIVU3iY8=

VMPRWwSKoDLoqJJuQ3B8kZI=

SAy2t2O1YK0dvad741U3iY8=

OOLZqb+rGSobYw==

Targets

- Target
  
  SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe
- Size
  
  719KB
- MD5
  
  05f703e7a42a6c540c9d5c815eb17f88
- SHA1
  
  2fc5a59e412216cba76eb7fa122478bec8c2d125
- SHA256
  
  0fd7b17afcfaa921522141380792c3105ec20547c795a21c2eb0810c82e7e5e2
- SHA512
  
  8f7eca2be01bb273b7e18644b02d9358725baf3bd1d51919899226ac8e1a7b8050d018f0af72341eb4aa092150537f151f303513c92305d1dc44e5741bd1c6b0
- SSDEEP
  
  12288:HbAOmbLGin3WhvyX2GahiJ9//4BsEOeNOVOYPmMi0fq1r:HbPsLV3WhKX2GF///MsEfAVOKmMi0fM
Score

10^/10

modiloader trojan formbook t3qw persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

ModiLoader Second Stage

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2