formbook

General

Target

U prilogu je nova lista narudzbi.zip
Size

655KB
Sample

230405-wzw18sag5t
MD5

efaacde46ab461bf5ad32e0a092c8152
SHA1

4ebb99bb2171fb24c2801230b711e5634964589a
SHA256

981bd77a2a71c5cb06a8198347b8a49e8b207d8c0d532e80c405b018084181b9
SHA512

88933f6c3db2cdae5eb35448da58586bd187ba765db73cedd9ae9705900e12bc1043a826859f7809dc1745323827b5d35c1219f21f2eecffb9ccdcf0e3d4a9af
SSDEEP

12288:s2MAR54NtnW46nT/fHGBd8HqFDG9O5rOaR8kbgzHmABkP79mTiO6M5KCke:s2Mu4NtnWtnHMjbNLR8kNUqqiO6M5Khe

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

slot999.site

hagsahoy.com

howdyart.com

orders-marketplace.com

ranaa.email

masterlink.guru

archershut.com

weikumcommunications.com

dphardmoney.com

shjyutie.com

vivaberlin.net

mycto.today

curvygirlugc.com

otnmp.cfd

alwrists.com

propercandlecompany.com

allindustry-bg.com

theyoungbizacademy.com

expand658170.com

leslainesdumouchon.com

Targets

- Target
  
  U prilogu je nova lista narudzbi.exe
- Size
  
  1.0MB
- MD5
  
  3df77cd9b148f741aabafae673c30c15
- SHA1
  
  40799ad5fbf94780eccd795ef07e77303b6638d9
- SHA256
  
  0080c65d479bdb2212ce757c8c874b8d10e2c341a557b40e5e4a1e97b889f1dd
- SHA512
  
  f453160682183f45e909b1e489e1c20ad3197d4327e57cb151f36765c70dea2b084c5ab2787cb6263f1aebaaabfff91ebbea54042d54227781468027e0410d91
- SSDEEP
  
  24576:v6R9yfVUXwTEfF59XADz3OjaZQQJ0nhUGfAp7LM:v6mO0MF59XADzejakuGfA1M
Score

10^/10

formbook modiloader 3nop persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2