formbook

General

Target

kvpsqhhqexe.zip
Size

293KB
Sample

230209-z4rh4aea9v
MD5

4c86d0254fa8db3a7e5bcf77d42672af
SHA1

3196347f84202ef80efe92408def5bc1f988f502
SHA256

087b600c1119ae4a70913add26dc7fc0f91fc38bb94407c80e5cb9e190bcf398
SHA512

cfc897bcb129422ec941892921ecc1ef6c35d197210a8472a5a4a8528b09c69c3a68bd3667fe7f54f41ae9f15a803f71e0241d1956b938a3e4e07d5e4d682d2e
SSDEEP

6144:7vCu8EgJSbw5qSdv0KrpFIVo5ZHNQiawXvr2l3IcuH1gfRd5ZFAX:LBjySu0qpnHOiZKqcuWf/zu

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

- Target
  
  434f568f604b646a5d279c2c22663b4a7ad778357b0a2bc2c51577b2f1e56abc.bin
- Size
  
  602KB
- MD5
  
  0ce62287e803b2bc9c07d11c90f69f2e
- SHA1
  
  c54c4456909fa814e8220e9a2ad3431b0cb0e683
- SHA256
  
  434f568f604b646a5d279c2c22663b4a7ad778357b0a2bc2c51577b2f1e56abc
- SHA512
  
  3e9a586484ba168429889fe7fdb6d8e4f6f3df24a208a3fa91f08563d2161956af05fca07cd1612bb0be04386260f04ecacf290ed1b5cfd995c5eb810bdc042e
- SSDEEP
  
  12288:+FgiXyZm+GGMM0J2Yl94CC4gSGSn8CjOtE:+FQmfo0tW4gjS8rE
Score

10^/10

modiloader trojan formbook kmge persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2