formbook

General

Target

nPO89854.tar
Size

435KB
Sample

230316-pg6z6aag42
MD5

eb20228a0c3e72d357e482ae23da2dc1
SHA1

c7182e9237e5757a16fbc056e062bcbf64dab436
SHA256

613aac6bca4a1628ad9717e84e44730ec74eec9bb771058eac5c1297a5f1c05b
SHA512

7176366686a9504107c36055aa4e3e07e198fba2e92517e670cab53a090a42e8c5859fd46551b8917db3ffc4fa577fad400a20570a21359767061c357ebf25af
SSDEEP

12288:KDNoDxbqbNFoe7Yf3mVMlo+2oDUSi6N0WllezU:KhoDJuFokMdeoYnU0Wls

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h3sc

Decoy

seemessage.com

bitlab.website

cheesestuff.ru

bhartiyafitness.com

bardapps.com

l7a4.com

chiara-samatanga.com

lesrollintioup.com

dropwc.com

mackey242.com

rackksfresheggs.com

thinkvlog.com

aidmedicalassist.com

firehousepickleball.net

sifreyonetici.com

teka-mart.com

ddttzone.xyz

macfeeupdate.com

ivocastillo.com

serjayparks.com

Targets

- Target
  
  PO89854.exe
- Size
  
  828KB
- MD5
  
  7c8067dc792a02d4d1211a2486a56334
- SHA1
  
  d1dd06a7a2c4b707882d1bb9559646aa049d4146
- SHA256
  
  ac4fce0e72e52a363a1cc5d5c425a2add422321772a84beb1d339b0bef76287a
- SHA512
  
  a360bb7bed4f1c5463fe357edea9e2ab29fafbff00400e778a7e9dadb311d65f954c02e327dbd664effacb70710b8138e1b29d5689af3160b44d8f72c4c81bd0
- SSDEEP
  
  12288:mMlTjVH4G4CWP/lAS2WW5dCvWSbmbrvPZb2v+9RWx6OPOKX:m4PV17WP6S2WWGuSirvPZwCPOPOK
Score

10^/10

modiloader trojan formbook h3sc persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2