formbook

General

Target

6B4878E4AEBFF478C4E55A2478EEF8B80D6EC46BF7B9EAE797E45C9AE78A188F
Size

254KB
Sample

230208-v23q5ade96
MD5

47fa311c4bf228d588ec57df1e6261d2
SHA1

0e586d63b1746ceccc0a49a8fdc52784cc3ae7f3
SHA256

6b4878e4aebff478c4e55a2478eef8b80d6ec46bf7b9eae797e45c9ae78a188f
SHA512

56ec299996917e83cd96c880d5de14597772dbb6bce807f78e6c50ab6078b173c9ff084283199188374be56aedfbf9025f0816f2abf5fc31a69c4843b8342590
SSDEEP

6144:KeCb3WLSj86D+rh9AoCJpuoUINuxBG7mQzUSLA:vSw6MhepzNuXGyKA

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

- Target
  
  6B4878E4AEBFF478C4E55A2478EEF8B80D6EC46BF7B9EAE797E45C9AE78A188F
- Size
  
  622KB
- MD5
  
  0e28ab44ff7eaa74be08eedba3072f99
- SHA1
  
  0614f14830b92f7e4229a8c28470f9d8d43a760c
- SHA256
  
  d6e7274f9866e7f1fff9bb501a4b5a6d995529115760aec4760e84c2699473b1
- SHA512
  
  88ecac3571b22bc38cd1f95d806baf8fe62000add4238b80ec56faa3c2bba9255a79384f1e36c8bcc83d3306a436904df71cb4f5e85549a3c7e1a77c0ca38d26
- SSDEEP
  
  12288:yCcEnCFtzHTM75t9EPlJr7QlRKXrzAXrcYqI:yXECzHTM75tMD7gqrzycI
Score

10^/10

modiloader trojan formbook kmge persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2