formbook

General

Target

Attached Proforma Invoice.exe
Size

678KB
Sample

230203-vb9fzsbf6s
MD5

9f0e000d75cf201d56f68e51a0c43cc5
SHA1

54d6592876e9261109fbd60ae2e078f475f74f1e
SHA256

02033ee5f18dc5c14cca3e808111693ff1b41d8d705268ae55e86251fe6bcc8b
SHA512

fe72606ae529ef5522b7681b66118c516c6f3ea55844441196f1143ab684dba5daee89dfcdf957b291a16ee862d575accdfe1b45837d4ac01645da894492f64e
SSDEEP

12288:+J8P4O2utBLvuQ4ZNn1AjnJzQFftOZCcgy:mIWutBLm/NnoJzQFW

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

wise-transfer.info

jam-nins.com

thebestsocialcrm.com

majomeow222.com

ancientshadowguilt.space

gentleman-china.com

parquemermoz.store

taxuw.com

sharqiyapaints.com

libraryofkath.com

1949wan.com

synqr.net

bitchessgirls.com

btonu.cfd

coding-bootcamps-16314.com

leadership22-tdh.site

maximsboutique.com

irishsummertruffles.com

sdnaqianchuan.com

uyews.xyz

Targets

- Target
  
  Attached Proforma Invoice.exe
- Size
  
  678KB
- MD5
  
  9f0e000d75cf201d56f68e51a0c43cc5
- SHA1
  
  54d6592876e9261109fbd60ae2e078f475f74f1e
- SHA256
  
  02033ee5f18dc5c14cca3e808111693ff1b41d8d705268ae55e86251fe6bcc8b
- SHA512
  
  fe72606ae529ef5522b7681b66118c516c6f3ea55844441196f1143ab684dba5daee89dfcdf957b291a16ee862d575accdfe1b45837d4ac01645da894492f64e
- SSDEEP
  
  12288:+J8P4O2utBLvuQ4ZNn1AjnJzQFftOZCcgy:mIWutBLm/NnoJzQFW
Score

10^/10

modiloader trojan formbook n7ak persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2