formbook | c5ef403f6eb24be53ab7293ad56c54f6853df005b6b9d34c48f0132d794a32d9 | Triage

Sharing

General

Target

Payment (2).r11.rar
Size

423KB
Sample

230505-rrt5fsba64
MD5

d90dc4011ae0968a98859f42a06277d4
SHA1

1c7a02430b048e5d71ecdbdcea17025bfbdc9510
SHA256

c5ef403f6eb24be53ab7293ad56c54f6853df005b6b9d34c48f0132d794a32d9
SHA512

7d7b7ccd564557375954f02cc5681de8f9b889a62934fc1bbcb6fd66d11fb2712e851d2a5f19505f215b571e8c0fb14817609f30ea04c4d7e80d800d2417a3d7
SSDEEP

12288:oxLbhYmZHdfZQWkLjrKeoctrb2WEf6gLWro:GZHdGWkDvpzrro

Score

10^/10

formbook modiloader bs92 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bs92

Decoy

czwjss.top

delightpgener.top

jannicebnaturotherapies.com

emotionalsupportpandas.com

hotbrasil.shop

abc3k.com

dklending.com

dyxs30.com

474lakeshore4110.info

hdriole.xyz

comicswithaudio.com

hotmeetingsfree.club

albinadolova.ru

agrijan.com

dylane-cv.com

htctuan.com

jacketnorway.com

equora.ru

cloud11.store

olalekanadmin.africa

Targets

- Target
  
  Payment (2).exe
- Size
  
  957KB
- MD5
  
  2ebf7f5b65c0e71bf0f36e8e9bbde1c3
- SHA1
  
  94f3d18e57d6483c03cae67478bb559a2e3ae0f8
- SHA256
  
  c1d948fee0541e31cfa3affa9d99a6ad6cf287601f3ddae9238c3ca379a4686c
- SHA512
  
  e5ff1f5b652b2f16f225bf465bbee6340560d75b7e5e8460afab86db23ec1989faa9f5fe1f182c047ba7a9dcbfcd7a299fa3b0103786f279b48bc20d1100b59b
- SSDEEP
  
  12288:0nONo4ehvLMuotC0NgicDPP2sBJ79D67KI04YCE+PhcimEwz8dQNHTcFpI2qjS:0nOPeFGhgicDnDRZBCEMcihwId+jT
Score

10^/10

modiloader trojan formbook bs92 persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

formbookmodiloaderbs92persistenceratspywarestealertrojan