Overview

overview

10

Static

static

Signed PI ...er.exe

windows7-x64

10

Signed PI ...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Signed PI % Payment Order Order.exe

  • Size

    1.1MB

  • Sample

    230111-kkww5sfe5s

  • MD5

    ce8dfa3ab6e40ef88605b208e48fdfa9

  • SHA1

    120c14d5da5c24721edd92f140b8a6de180679d7

  • SHA256

    72a32e559653c3ef0b9f2c2065707850b24225f77dd9ec4dd3ebfffed43002fb

  • SHA512

    27dd308465ff5ef1ad5b5bf2f6d433430b1b094b22d52ec13629b8c318cb2eb7de834d189c538057ccfb1e124744c64947aa46dd8c7133156eb89189124d95a7

  • SSDEEP

    24576:ygaIphuOCwQSQ8eD0nzOt1ytFvDgIFoc5:y2B2DmzOt1ytFvDpFoc

Score
10/10
formbookmodiloadern7aknvp4persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

nvp4

Decoy

EiywrQNofDNveWY1IESoBA==

yqEWFGRfErX7ICQCwyQ+YeLXtaA=

Ers0rc50nbjso0jbdZTmBw==

XQxVP45+F5OZn3ZBTC7MLe1OF3G5c5uK9A==

RHh4uwtsttjzlxy+eW3+

W+xQshfnvmF5n5x2d+cEVdBNIkQRHRE=

FwlyiuXNX0+Trw==

euLn91on/7DeDe++zbQ4YeLXtaA=

td4cO8m3HDRWtl8p7Q==

ZrlyAAPqc3GXI5k=

OM0IisKOI78FJC/IuIxxAu5nRg==

d6A0QJ6PV+AOpyK+eW3+

+EgxFWUu3Ulatl8p7Q==

GC/stck1ILXn+cWZx7w8W6rPFmO6c5uK9A==

hhIiK4+CKEOfB4tr

mA1pyQ85ye8N

4xgWYcEpEoidv8eXKNncAQ==

L+hOVbe+IWyc8oVUclc=

J7EGaJ+L+wKLXUYg7w==

L5R/nfdgQdMHD+TUKw1Zo3Hb

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

wise-transfer.info

jam-nins.com

thebestsocialcrm.com

majomeow222.com

ancientshadowguilt.space

gentleman-china.com

parquemermoz.store

taxuw.com

sharqiyapaints.com

libraryofkath.com

1949wan.com

synqr.net

bitchessgirls.com

btonu.cfd

coding-bootcamps-16314.com

leadership22-tdh.site

maximsboutique.com

irishsummertruffles.com

sdnaqianchuan.com

uyews.xyz

Targets

    • Target

      Signed PI % Payment Order Order.exe

    • Size

      1.1MB

    • MD5

      ce8dfa3ab6e40ef88605b208e48fdfa9

    • SHA1

      120c14d5da5c24721edd92f140b8a6de180679d7

    • SHA256

      72a32e559653c3ef0b9f2c2065707850b24225f77dd9ec4dd3ebfffed43002fb

    • SHA512

      27dd308465ff5ef1ad5b5bf2f6d433430b1b094b22d52ec13629b8c318cb2eb7de834d189c538057ccfb1e124744c64947aa46dd8c7133156eb89189124d95a7

    • SSDEEP

      24576:ygaIphuOCwQSQ8eD0nzOt1ytFvDgIFoc5:y2B2DmzOt1ytFvDpFoc

    Score
    10/10
    modiloadertrojanformbookn7aknvp4persistenceratspywarestealer

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook payload

      rat

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks