formbook

General

Target

1b0be50f700de57af68f6ed4c97f2b3a8e28ea5ab4bcd977aa6799553803edba
Size

709KB
Sample

230210-cv1dbaeg3v
MD5

e27fbadf3b4c680755af9286b4b6cf6b
SHA1

cfa2a558737840f956c7726c905b64fec5c2b472
SHA256

1b0be50f700de57af68f6ed4c97f2b3a8e28ea5ab4bcd977aa6799553803edba
SHA512

34391dfdc5dc1c5f8e1437b590cae7fdfa93c3e95a3c4bde32b581b5c1a5527e5c9372859d14be752fd7252d52ace2cce550f79742fd879e9096d92f5aefc65c
SSDEEP

12288:jBL6dBqd7X5BqO2VaHuD/etbrU9+/vqy5g7i+zAXrc:1WyXvqOiaHuD/eRa+/vt5F+zy

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

nvp4

Decoy

EiywrQNofDNveWY1IESoBA==

yqEWFGRfErX7ICQCwyQ+YeLXtaA=

Ers0rc50nbjso0jbdZTmBw==

XQxVP45+F5OZn3ZBTC7MLe1OF3G5c5uK9A==

RHh4uwtsttjzlxy+eW3+

W+xQshfnvmF5n5x2d+cEVdBNIkQRHRE=

FwlyiuXNX0+Trw==

euLn91on/7DeDe++zbQ4YeLXtaA=

td4cO8m3HDRWtl8p7Q==

ZrlyAAPqc3GXI5k=

OM0IisKOI78FJC/IuIxxAu5nRg==

d6A0QJ6PV+AOpyK+eW3+

+EgxFWUu3Ulatl8p7Q==

GC/stck1ILXn+cWZx7w8W6rPFmO6c5uK9A==

hhIiK4+CKEOfB4tr

mA1pyQ85ye8N

4xgWYcEpEoidv8eXKNncAQ==

L+hOVbe+IWyc8oVUclc=

J7EGaJ+L+wKLXUYg7w==

L5R/nfdgQdMHD+TUKw1Zo3Hb

Targets

- Target
  
  1b0be50f700de57af68f6ed4c97f2b3a8e28ea5ab4bcd977aa6799553803edba
- Size
  
  709KB
- MD5
  
  e27fbadf3b4c680755af9286b4b6cf6b
- SHA1
  
  cfa2a558737840f956c7726c905b64fec5c2b472
- SHA256
  
  1b0be50f700de57af68f6ed4c97f2b3a8e28ea5ab4bcd977aa6799553803edba
- SHA512
  
  34391dfdc5dc1c5f8e1437b590cae7fdfa93c3e95a3c4bde32b581b5c1a5527e5c9372859d14be752fd7252d52ace2cce550f79742fd879e9096d92f5aefc65c
- SSDEEP
  
  12288:jBL6dBqd7X5BqO2VaHuD/etbrU9+/vqy5g7i+zAXrc:1WyXvqOiaHuD/eRa+/vt5F+zy
Score

10^/10

modiloader trojan formbook nvp4 persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

ModiLoader Second Stage

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2