formbook

General

Target

SecuriteInfo.com.Win32.DropperX-gen.11338.19707.exe
Size

699KB
Sample

221212-mkyf3sbb29
MD5

b3d1c442f9b4d657dfe090da69c87751
SHA1

99c32ecb6d8a8c7e78a908cd09b32bac0502885f
SHA256

03daa8dcea75f814b344785dc1f52222cd4461bccc17a35f032efe81e47d18be
SHA512

cbe8a77d73751455518f5a28dbbcfd16e395858690e1b57c812a0a008b88bdc1dcd49894c205f6f59f806c0342e3be2eda7c96fdbc98d5c5659deebf513e050e
SSDEEP

12288:snVmudzJUo8PhrmipEsHrt5SslxqAoAYyNG/xhIL/2nSrJWIXnyGS:sVm4Uo8ESLbS8xCaG7

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t3c9

Decoy

shadeshmarriagemedia.com

e-russ.com

sofiashome.com

theworriedwell.com

americantechfront.com

seasonssparkling.com

maximuscanada.net

tifin-private-markets.com

amecc2.net

xuexi22.icu

injectiontek.com

enrrocastoneimports.com

marvelouslightcandleco.com

eaamedia.com

pmediaerp.com

tikivips111.com

chesterfieldcleaningcare.com

thecrowdedtablemusic.com

duncanvillepanthers.com

floriculturajoinville.xyz

Targets

- Target
  
  SecuriteInfo.com.Win32.DropperX-gen.11338.19707.exe
- Size
  
  699KB
- MD5
  
  b3d1c442f9b4d657dfe090da69c87751
- SHA1
  
  99c32ecb6d8a8c7e78a908cd09b32bac0502885f
- SHA256
  
  03daa8dcea75f814b344785dc1f52222cd4461bccc17a35f032efe81e47d18be
- SHA512
  
  cbe8a77d73751455518f5a28dbbcfd16e395858690e1b57c812a0a008b88bdc1dcd49894c205f6f59f806c0342e3be2eda7c96fdbc98d5c5659deebf513e050e
- SSDEEP
  
  12288:snVmudzJUo8PhrmipEsHrt5SslxqAoAYyNG/xhIL/2nSrJWIXnyGS:sVm4Uo8ESLbS8xCaG7
Score

10^/10

modiloader trojan formbook t3c9 persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2