Overview

overview

10

Static

static

1

6959ae7ac9...65.exe

windows7-x64

10

6959ae7ac9...65.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6959ae7ac9f823f8b4f6d928c436d1aa47cc981372370f8f943bb60191ce2465.exe

  • Size

    789KB

  • Sample

    230405-m52z1afg7v

  • MD5

    362825d11d1a6f4251d57ed651af5101

  • SHA1

    a9634c3a4aeca93cba854c6e0f1f7b35be3cc738

  • SHA256

    6959ae7ac9f823f8b4f6d928c436d1aa47cc981372370f8f943bb60191ce2465

  • SHA512

    b4b223db004d2a0e1f068884f015981bca112b978bf1ccc4d9d514dbc5eaa44859b6201a29230a18da72daa042f659fbf6a7584332f5eb13a54a083ea3da118d

  • SSDEEP

    12288:cJKKlhHK7aNM7pU5NVu+dddEDC/BBaA19a0N/foaOikawav:UHnKeeFU5NVrPEDSBBTNYaRktav

Score
10/10
formbookmodiloadert3c9persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t3c9

Decoy

shadeshmarriagemedia.com

e-russ.com

sofiashome.com

theworriedwell.com

americantechfront.com

seasonssparkling.com

maximuscanada.net

tifin-private-markets.com

amecc2.net

xuexi22.icu

injectiontek.com

enrrocastoneimports.com

marvelouslightcandleco.com

eaamedia.com

pmediaerp.com

tikivips111.com

chesterfieldcleaningcare.com

thecrowdedtablemusic.com

duncanvillepanthers.com

floriculturajoinville.xyz

Targets

    • Target

      6959ae7ac9f823f8b4f6d928c436d1aa47cc981372370f8f943bb60191ce2465.exe

    • Size

      789KB

    • MD5

      362825d11d1a6f4251d57ed651af5101

    • SHA1

      a9634c3a4aeca93cba854c6e0f1f7b35be3cc738

    • SHA256

      6959ae7ac9f823f8b4f6d928c436d1aa47cc981372370f8f943bb60191ce2465

    • SHA512

      b4b223db004d2a0e1f068884f015981bca112b978bf1ccc4d9d514dbc5eaa44859b6201a29230a18da72daa042f659fbf6a7584332f5eb13a54a083ea3da118d

    • SSDEEP

      12288:cJKKlhHK7aNM7pU5NVu+dddEDC/BBaA19a0N/foaOikawav:UHnKeeFU5NVrPEDSBBTNYaRktav

    Score
    10/10
    modiloadertrojanformbookt3c9persistenceratspywarestealer

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook payload

      rat

    • ModiLoader Second Stage

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks