formbook

General

Target

DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F
Size

369KB
Sample

230314-rv3wrsfh96
MD5

246782e67ffc11fa8097d2a7717d41f2
SHA1

11aabac093a18594972014560c00475d973ddbd0
SHA256

df3960bb0cd231428eeb614a4814eb449d5c857b61bc2f2e568cf5615a949e8f
SHA512

7b90225416dfb6de392882ded5f206b0b76fc7768d586bd1a39447cf0514c18a68405246b2b4f882a02d0845c3452fcdd6407052588390f6a6488d68bb6993b2
SSDEEP

6144:fIwC+b7acSfRGyK91pxFPACbd57OYMUxU5A54Ycf0GtxJh4u2BzkCcqPICxBFBXZ:gwrhSpGFHxFPAo7OwU5A+lT4u2BzlFbd

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ges9

Decoy

lolofestival.store

amzin.info

pulsahokii.xyz

bahiszirve.com

animekoe.com

kansastaxaccountant.net

howgoodisgod.online

medakaravan.xyz

pesmagazine.net

americanpopulist.info

nepalihandicraft.com

mariabakermodeling.com

cavify.top

onlinewoonboulevard.com

furniture-22830.com

ophthalmicpersonneltraining.us

yz1204.com

extrawhite.site

tomo.store

martfind.online

Targets

- Target
  
  DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F
- Size
  
  1.1MB
- MD5
  
  a6cef924a4bd619a96f27e3ea6bb57df
- SHA1
  
  d0caa19884d168e786dbb8edb40673553a61634f
- SHA256
  
  4a85949b7ffe19e22e4191b55b225cb3ac8b59246785144f585006b94e9ba574
- SHA512
  
  fc653c79211df1be06324979bd8d80cdc493e489a7d4775c967b11987c5ded36fbccbfdcca6705996348d9d126fe42b0971d4bf550db14963026fda3213c8f80
- SSDEEP
  
  12288:oX8lOqFSsZ40z3QjB2lr5fPx7Zh70WoQzV9hBoSFhAf1nAhglR:Q8ltFSQ3AB2zp7pcf1nAhglR
Score

10^/10

modiloader trojan formbook ges9 persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2