Overview

overview

10

Static

static

3

PURCHASE001.exe

windows7-x64

10

PURCHASE001.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PURCHASE001.exe.bin

  • Size

    876KB

  • Sample

    230501-ywqq6aab3s

  • MD5

    73fb99c411ecc3783a6f8ca99c4b38d3

  • SHA1

    0fac050f30927c0bdb6a59b629a28e9d9277b741

  • SHA256

    be67380a29f7a6441a097d6921cf5c7348bc0ed6d20844b7ec662c24d96c82a5

  • SHA512

    115b8e5b9327b5040aa128cb27df87a21d39e283514ee27b6385566c97f3741b4fb2bf31a8ae9ac013a5faca3613654b6d8fcbf7e67ddaa8a1c36b722c258b67

  • SSDEEP

    12288:NtN+qFRD49GYo3EU9Aj4aNJqzSiMpV+j5fnur1/AUiXZSGjrJ3xigV:NLX89GZ9NaLlpo5S7oZ//J3L

Score
10/10
formbookmodiloaderh3scpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h3sc

Decoy

seemessage.com

bitlab.website

cheesestuff.ru

bhartiyafitness.com

bardapps.com

l7a4.com

chiara-samatanga.com

lesrollintioup.com

dropwc.com

mackey242.com

rackksfresheggs.com

thinkvlog.com

aidmedicalassist.com

firehousepickleball.net

sifreyonetici.com

teka-mart.com

ddttzone.xyz

macfeeupdate.com

ivocastillo.com

serjayparks.com

Targets

    • Target

      PURCHASE001.exe.bin

    • Size

      876KB

    • MD5

      73fb99c411ecc3783a6f8ca99c4b38d3

    • SHA1

      0fac050f30927c0bdb6a59b629a28e9d9277b741

    • SHA256

      be67380a29f7a6441a097d6921cf5c7348bc0ed6d20844b7ec662c24d96c82a5

    • SHA512

      115b8e5b9327b5040aa128cb27df87a21d39e283514ee27b6385566c97f3741b4fb2bf31a8ae9ac013a5faca3613654b6d8fcbf7e67ddaa8a1c36b722c258b67

    • SSDEEP

      12288:NtN+qFRD49GYo3EU9Aj4aNJqzSiMpV+j5fnur1/AUiXZSGjrJ3xigV:NLX89GZ9NaLlpo5S7oZ//J3L

    Score
    10/10
    formbookmodiloaderh3scpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook payload

      rat

    • ModiLoader Second Stage

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks