Malware sandboxing report by Hatching Triage

General

Target

SecuriteInfo.com.Win32.Malware-gen.15285.91.exe
Size

777KB
Sample

221205-mpdx8sbd86
MD5

aff165c8241720f92c4670bdbaa61e9f
SHA1

d5e9c9c4b081f7a383826a24a59cb71d8e0a0d98
SHA256

db399100d63fa87dbc5d6596d2c44749c0cee86ea45d7e81206277c9cdacb9f1
SHA512

11c8ce3f400c08bd578481f17cefeb7bfa93a5868c6dfba6772f2f5c45eca9a80dbf881831b052c42cbaff1209d1042c9945dec13074600fa39851a9936a16be
SSDEEP

12288:4aDW4pT3boLduwYh0H7/C+khXx7ogdmTOeIurz7MJUXbXzaHyCkonBNyrj:4ajVsLduwA0HLC+k7MgdmTRrl/ronB0

Score

10^/10

Malware Config

Extracted

Family	formbook
Version	4.1
Campaign	t3c9
Decoy	shadeshmarriagemedia.com e-russ.com sofiashome.com theworriedwell.com americantechfront.com seasonssparkling.com maximuscanada.net tifin-private-markets.com amecc2.net xuexi22.icu injectiontek.com enrrocastoneimports.com marvelouslightcandleco.com eaamedia.com pmediaerp.com tikivips111.com chesterfieldcleaningcare.com thecrowdedtablemusic.com duncanvillepanthers.com floriculturajoinville.xyz bestcleaningagent.com blackpartyplanners.online atlanticphotovideo.com welfarewith.com vsesvezhie.online kingballyeg.com onanshop.com navarathnatemple.com tajcostore.com bittoastergames.com brasswork.info 92luoli.top neuroimagingai.com travisheightspartners.com securelifestyles21.net toydrumhosting.com a-2-zwholesale.com mnehbr.cloud hot51.one 3g10v4jwti2tur96.digital barbosasilvaadv.com addidas.me onpu.sa.com pienso-mascotas.com brinkmicro.com mari4731.com redtocsin.com tarponspringshandyman.com shknote.com jacksonholekush.com thephilosophyacademy.com gsolartech.com oferstar.com earlyrepeal.online medi-vacations.net bigredsellshomes.com bonitageeks.icu bossingh.xyz shanghaizang.com maisonlectio.com monktech.xyz hsmm999.com bateful.com billiondollar.company millesimevintage.com shadeshmarriagemedia.com e-russ.com sofiashome.com theworriedwell.com americantechfront.com seasonssparkling.com maximuscanada.net tifin-private-markets.com amecc2.net xuexi22.icu injectiontek.com enrrocastoneimports.com marvelouslightcandleco.com eaamedia.com pmediaerp.com tikivips111.com chesterfieldcleaningcare.com thecrowdedtablemusic.com duncanvillepanthers.com floriculturajoinville.xyz bestcleaningagent.com blackpartyplanners.online atlanticphotovideo.com welfarewith.com vsesvezhie.online kingballyeg.com onanshop.com navarathnatemple.com tajcostore.com bittoastergames.com brasswork.info 92luoli.top neuroimagingai.com travisheightspartners.com securelifestyles21.net toydrumhosting.com a-2-zwholesale.com mnehbr.cloud hot51.one 3g10v4jwti2tur96.digital barbosasilvaadv.com addidas.me onpu.sa.com pienso-mascotas.com brinkmicro.com mari4731.com redtocsin.com tarponspringshandyman.com shknote.com jacksonholekush.com thephilosophyacademy.com gsolartech.com oferstar.com earlyrepeal.online medi-vacations.net bigredsellshomes.com bonitageeks.icu bossingh.xyz shanghaizang.com maisonlectio.com monktech.xyz hsmm999.com bateful.com billiondollar.company millesimevintage.com

Targets

- Target
  
  SecuriteInfo.com.Win32.Malware-gen.15285.91.exe
- Size
  
  777KB
- MD5
  
  aff165c8241720f92c4670bdbaa61e9f
- SHA1
  
  d5e9c9c4b081f7a383826a24a59cb71d8e0a0d98
- SHA256
  
  db399100d63fa87dbc5d6596d2c44749c0cee86ea45d7e81206277c9cdacb9f1
- SHA512
  
  11c8ce3f400c08bd578481f17cefeb7bfa93a5868c6dfba6772f2f5c45eca9a80dbf881831b052c42cbaff1209d1042c9945dec13074600fa39851a9936a16be
- SSDEEP
  
  12288:4aDW4pT3boLduwYh0H7/C+khXx7ogdmTOeIurz7MJUXbXzaHyCkonBNyrj:4ajVsLduwA0HLC+k7MgdmTRrl/ronB0
Score

10^/10

modiloader trojan formbook t3c9 persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2