formbook | c1d948fee0541e31cfa3affa9d99a6ad6cf287601f3ddae9238c3ca379a4686c | Triage

Sharing

General

Target

Payment (2).exe
Size

957KB
Sample

230505-rj6hhsch31
MD5

2ebf7f5b65c0e71bf0f36e8e9bbde1c3
SHA1

94f3d18e57d6483c03cae67478bb559a2e3ae0f8
SHA256

c1d948fee0541e31cfa3affa9d99a6ad6cf287601f3ddae9238c3ca379a4686c
SHA512

e5ff1f5b652b2f16f225bf465bbee6340560d75b7e5e8460afab86db23ec1989faa9f5fe1f182c047ba7a9dcbfcd7a299fa3b0103786f279b48bc20d1100b59b
SSDEEP

12288:0nONo4ehvLMuotC0NgicDPP2sBJ79D67KI04YCE+PhcimEwz8dQNHTcFpI2qjS:0nOPeFGhgicDnDRZBCEMcihwId+jT

Score

10^/10

formbook modiloader bs92 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bs92

Decoy

czwjss.top

delightpgener.top

jannicebnaturotherapies.com

emotionalsupportpandas.com

hotbrasil.shop

abc3k.com

dklending.com

dyxs30.com

474lakeshore4110.info

hdriole.xyz

comicswithaudio.com

hotmeetingsfree.club

albinadolova.ru

agrijan.com

dylane-cv.com

htctuan.com

jacketnorway.com

equora.ru

cloud11.store

olalekanadmin.africa

Targets

- Target
  
  Payment (2).exe
- Size
  
  957KB
- MD5
  
  2ebf7f5b65c0e71bf0f36e8e9bbde1c3
- SHA1
  
  94f3d18e57d6483c03cae67478bb559a2e3ae0f8
- SHA256
  
  c1d948fee0541e31cfa3affa9d99a6ad6cf287601f3ddae9238c3ca379a4686c
- SHA512
  
  e5ff1f5b652b2f16f225bf465bbee6340560d75b7e5e8460afab86db23ec1989faa9f5fe1f182c047ba7a9dcbfcd7a299fa3b0103786f279b48bc20d1100b59b
- SSDEEP
  
  12288:0nONo4ehvLMuotC0NgicDPP2sBJ79D67KI04YCE+PhcimEwz8dQNHTcFpI2qjS:0nOPeFGhgicDnDRZBCEMcihwId+jT
Score

10^/10

modiloader trojan formbook bs92 persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

formbookmodiloaderbs92persistenceratspywarestealertrojan