formbook

General

Target

SecuriteInfo.com.Win32.Malware-gen.15285.91.exe
Size

777KB
Sample

221205-mpdx8sbd86
MD5

aff165c8241720f92c4670bdbaa61e9f
SHA1

d5e9c9c4b081f7a383826a24a59cb71d8e0a0d98
SHA256

db399100d63fa87dbc5d6596d2c44749c0cee86ea45d7e81206277c9cdacb9f1
SHA512

11c8ce3f400c08bd578481f17cefeb7bfa93a5868c6dfba6772f2f5c45eca9a80dbf881831b052c42cbaff1209d1042c9945dec13074600fa39851a9936a16be
SSDEEP

12288:4aDW4pT3boLduwYh0H7/C+khXx7ogdmTOeIurz7MJUXbXzaHyCkonBNyrj:4ajVsLduwA0HLC+k7MgdmTRrl/ronB0

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t3c9

Decoy

shadeshmarriagemedia.com

e-russ.com

sofiashome.com

theworriedwell.com

americantechfront.com

seasonssparkling.com

maximuscanada.net

tifin-private-markets.com

amecc2.net

xuexi22.icu

injectiontek.com

enrrocastoneimports.com

marvelouslightcandleco.com

eaamedia.com

pmediaerp.com

tikivips111.com

chesterfieldcleaningcare.com

thecrowdedtablemusic.com

duncanvillepanthers.com

floriculturajoinville.xyz

Targets

- Target
  
  SecuriteInfo.com.Win32.Malware-gen.15285.91.exe
- Size
  
  777KB
- MD5
  
  aff165c8241720f92c4670bdbaa61e9f
- SHA1
  
  d5e9c9c4b081f7a383826a24a59cb71d8e0a0d98
- SHA256
  
  db399100d63fa87dbc5d6596d2c44749c0cee86ea45d7e81206277c9cdacb9f1
- SHA512
  
  11c8ce3f400c08bd578481f17cefeb7bfa93a5868c6dfba6772f2f5c45eca9a80dbf881831b052c42cbaff1209d1042c9945dec13074600fa39851a9936a16be
- SSDEEP
  
  12288:4aDW4pT3boLduwYh0H7/C+khXx7ogdmTOeIurz7MJUXbXzaHyCkonBNyrj:4ajVsLduwA0HLC+k7MgdmTRrl/ronB0
Score

10^/10

modiloader trojan formbook t3c9 persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2