formbook

General

Target

f5bccca6f16c275e30b2bbd2732c19bc.bin
Size

299KB
Sample

230505-zavnnafd8z
MD5

8f93bcd45f7bd6d10aa4f7094dcfa2f7
SHA1

8e28a2d965be1295737d0a4783c42fd4311564e9
SHA256

9c5e8d4edcfb492d6c8911534454ffb6acc6023e02a10c9b2d22119b6c6455fc
SHA512

809a4bf8fd27796405310289d2b118ec725c744988d338c6f3326f8ece3e3c2b11d867377b1d519cbf574b6ea6ae4b349d3d6b617647ebd993dd447fa63f58e2
SSDEEP

6144:5yg39knWop87/AJdX2QNHwsY3BC1YKRbu9HuAnhKzhANJikPUs86Q+/WpmC/wvEQ:r9knnp87oJBFmf3BC1YKRy9/nhKzhANp

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

- Target
  
  25c58bf051df8e65c188ba0ae6a183ed8e8fc129543d2c2fd0ebb511b7459327
- Size
  
  769KB
- MD5
  
  056c8e14391eace2a7bbce0e4fbf7fd3
- SHA1
  
  8a821a498353d62a8a2f82f7dd4cb71a75469a5e
- SHA256
  
  93b465d7ee036386b53254f8ba73fa8ec121b5182cc3dccc6a42426f69130be3
- SHA512
  
  3d0f9b97d9fd0c1769cab13aaf325a54f124141671c8b47f9679c1754b2968b79d986d9aaa6db4daaee5844fb97adcf489a6d80c8afcc5f13f7de2500890f7b0
- SSDEEP
  
  12288:Hu+e4v0ma0dwwcQNHRh+ZXiwBdbPmWNshnBMQfhxN2rn4PhWu7:HuRQq0iwcmhEffeWizhxN2rn4P
Score

10^/10

modiloader trojan formbook kmge persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2