Overview

overview

10

Static

static

1

POJAN20217.exe

windows7-x64

1

POJAN20217.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    POJAN20217.exe

  • Size

    703KB

  • Sample

    230408-l7twqseg7s

  • MD5

    fbd062a526493f39857b1ff06b38e3b9

  • SHA1

    cb539fa1dc65214e029a94bb2476b0ec93223549

  • SHA256

    9c0b00c20b1b397ff688a1da698420f0f7453b962d4f732ed91189be7cae3c9c

  • SHA512

    bce4aaa0650ac0e6adafdecd38634a0a9d0b16c81363c341a4457441d376a2a1bcc2cb641cf1f3fd20ff8009fca4ddadec12d9e9d8628bc76e1fa2a580d4fcac

  • SSDEEP

    12288:jhdbZQFXq//Y4v3eftE3LSq/ysk+UlvLFB7u/GFI3dSq0j:zZQlSrvOftE3bxRUFJgdS/j

Score
10/10
formbookmodiloaderh3scpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h3sc

Decoy

seemessage.com

bitlab.website

cheesestuff.ru

bhartiyafitness.com

bardapps.com

l7a4.com

chiara-samatanga.com

lesrollintioup.com

dropwc.com

mackey242.com

rackksfresheggs.com

thinkvlog.com

aidmedicalassist.com

firehousepickleball.net

sifreyonetici.com

teka-mart.com

ddttzone.xyz

macfeeupdate.com

ivocastillo.com

serjayparks.com

Targets

    • Target

      POJAN20217.exe

    • Size

      703KB

    • MD5

      fbd062a526493f39857b1ff06b38e3b9

    • SHA1

      cb539fa1dc65214e029a94bb2476b0ec93223549

    • SHA256

      9c0b00c20b1b397ff688a1da698420f0f7453b962d4f732ed91189be7cae3c9c

    • SHA512

      bce4aaa0650ac0e6adafdecd38634a0a9d0b16c81363c341a4457441d376a2a1bcc2cb641cf1f3fd20ff8009fca4ddadec12d9e9d8628bc76e1fa2a580d4fcac

    • SSDEEP

      12288:jhdbZQFXq//Y4v3eftE3LSq/ysk+UlvLFB7u/GFI3dSq0j:zZQlSrvOftE3bxRUFJgdS/j

    Score
    10/10
    formbookmodiloaderh3scpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook payload

      rat

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks