formbook

General

Target

1430ef247170b2554def5fda1597c98f06a634b6285e441e90445a27d0956d46
Size

816KB
Sample

230407-m99kmsag6y
MD5

efb091a4d641910c4dab28ce7c1267e3
SHA1

35cbeb410dca9e039dfcbea18d367816ee6c7353
SHA256

1430ef247170b2554def5fda1597c98f06a634b6285e441e90445a27d0956d46
SHA512

6f2c97ac1da034c31aac3fbee1f95056365c04849dc253701b1aeaa7089344c6aefaf8a54c45e413cdb46e23d88c87a0af167b7b497da0d76df4cedcb6acfbff
SSDEEP

12288:AkqyglaEq3vgPIzZpurCqayn2zetLP+L2/WXwCui8lvLFB7u/GFI3dSq0j:AkCAYIzZpurCqaZ8/EwC/8FJgdS/j

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h3sc

Decoy

seemessage.com

bitlab.website

cheesestuff.ru

bhartiyafitness.com

bardapps.com

l7a4.com

chiara-samatanga.com

lesrollintioup.com

dropwc.com

mackey242.com

rackksfresheggs.com

thinkvlog.com

aidmedicalassist.com

firehousepickleball.net

sifreyonetici.com

teka-mart.com

ddttzone.xyz

macfeeupdate.com

ivocastillo.com

serjayparks.com

Targets

- Target
  
  1430ef247170b2554def5fda1597c98f06a634b6285e441e90445a27d0956d46
- Size
  
  816KB
- MD5
  
  efb091a4d641910c4dab28ce7c1267e3
- SHA1
  
  35cbeb410dca9e039dfcbea18d367816ee6c7353
- SHA256
  
  1430ef247170b2554def5fda1597c98f06a634b6285e441e90445a27d0956d46
- SHA512
  
  6f2c97ac1da034c31aac3fbee1f95056365c04849dc253701b1aeaa7089344c6aefaf8a54c45e413cdb46e23d88c87a0af167b7b497da0d76df4cedcb6acfbff
- SSDEEP
  
  12288:AkqyglaEq3vgPIzZpurCqayn2zetLP+L2/WXwCui8lvLFB7u/GFI3dSq0j:AkCAYIzZpurCqaZ8/EwC/8FJgdS/j
Score

10^/10

formbook modiloader h3sc persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2