formbook | e539f80082f961c600e6ff2a21e969d0641aa787831259d3fdd772b28d469721 | Triage

Sharing

General

Target

SecuriteInfo.com.Win32.Trojan-gen.31819.28757
Size

733KB
Sample

221129-lnjawsah9t
MD5

f536ea8fb5b6586bb2ffc764cd52abff
SHA1

313804060f2511b8382d369a3949d5524c1adaef
SHA256

e539f80082f961c600e6ff2a21e969d0641aa787831259d3fdd772b28d469721
SHA512

873e0a7174be40db35f8e8f06fd7ffaf340128e7ee6ec09f691ca8857aac9b1f4c5d6cdb76841858ef4e52b2fa5a4a9a18588221567626fe1474b8b101cef8ea
SSDEEP

12288:i1qMhtVLzLypCggIh36+O9dvjpQVeri442qKk/RqIkr:WFhHzmQgn6+8T/r7PaqI

Score

10^/10

formbook modiloader nvp4 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nvp4

Decoy

EiywrQNofDNveWY1IESoBA==

yqEWFGRfErX7ICQCwyQ+YeLXtaA=

Ers0rc50nbjso0jbdZTmBw==

XQxVP45+F5OZn3ZBTC7MLe1OF3G5c5uK9A==

RHh4uwtsttjzlxy+eW3+

W+xQshfnvmF5n5x2d+cEVdBNIkQRHRE=

FwlyiuXNX0+Trw==

euLn91on/7DeDe++zbQ4YeLXtaA=

td4cO8m3HDRWtl8p7Q==

ZrlyAAPqc3GXI5k=

OM0IisKOI78FJC/IuIxxAu5nRg==

d6A0QJ6PV+AOpyK+eW3+

+EgxFWUu3Ulatl8p7Q==

GC/stck1ILXn+cWZx7w8W6rPFmO6c5uK9A==

hhIiK4+CKEOfB4tr

mA1pyQ85ye8N

4xgWYcEpEoidv8eXKNncAQ==

L+hOVbe+IWyc8oVUclc=

J7EGaJ+L+wKLXUYg7w==

L5R/nfdgQdMHD+TUKw1Zo3Hb

Targets

- Target
  
  SecuriteInfo.com.Win32.Trojan-gen.31819.28757
- Size
  
  733KB
- MD5
  
  f536ea8fb5b6586bb2ffc764cd52abff
- SHA1
  
  313804060f2511b8382d369a3949d5524c1adaef
- SHA256
  
  e539f80082f961c600e6ff2a21e969d0641aa787831259d3fdd772b28d469721
- SHA512
  
  873e0a7174be40db35f8e8f06fd7ffaf340128e7ee6ec09f691ca8857aac9b1f4c5d6cdb76841858ef4e52b2fa5a4a9a18588221567626fe1474b8b101cef8ea
- SSDEEP
  
  12288:i1qMhtVLzLypCggIh36+O9dvjpQVeri442qKk/RqIkr:WFhHzmQgn6+8T/r7PaqI
Score

10^/10

modiloader trojan formbook nvp4 persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

formbookmodiloadernvp4persistenceratspywarestealertrojan