formbook | 978d25370641e03d4faa264e3e0d91cecf023cf5dd49cad828eb7a4fa261cfb9 | Triage

Sharing

General

Target

2ebf7f5b65c0e71bf0f36e8e9bbde1c3.bin
Size

505KB
Sample

230507-blevkshg8z
MD5

a37f7606204f6b67bd0dd57fc0db1fb3
SHA1

427f44e84d219937119543082dff47371df8817c
SHA256

978d25370641e03d4faa264e3e0d91cecf023cf5dd49cad828eb7a4fa261cfb9
SHA512

7d152e086cb5e288e6ac04e92918a874c41802a81a4b68a50c881c8c30cee000147e3bff805ec134a8ddd19e2e193ef82ccdd0df53dc95d8480220992821c979
SSDEEP

12288:N5uLRAQti19/J9ZXtk27GVDuolp98YpG7BJTgtrE5IwGnH8JeWQ1pt5G12:N5uLSQkvZi27Gvp9V47B2trE2DHfWQ3b

Score

10^/10

formbook modiloader bs92 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bs92

Decoy

czwjss.top

delightpgener.top

jannicebnaturotherapies.com

emotionalsupportpandas.com

hotbrasil.shop

abc3k.com

dklending.com

dyxs30.com

474lakeshore4110.info

hdriole.xyz

comicswithaudio.com

hotmeetingsfree.club

albinadolova.ru

agrijan.com

dylane-cv.com

htctuan.com

jacketnorway.com

equora.ru

cloud11.store

olalekanadmin.africa

Targets

- Target
  
  c1d948fee0541e31cfa3affa9d99a6ad6cf287601f3ddae9238c3ca379a4686c.exe
- Size
  
  957KB
- MD5
  
  2ebf7f5b65c0e71bf0f36e8e9bbde1c3
- SHA1
  
  94f3d18e57d6483c03cae67478bb559a2e3ae0f8
- SHA256
  
  c1d948fee0541e31cfa3affa9d99a6ad6cf287601f3ddae9238c3ca379a4686c
- SHA512
  
  e5ff1f5b652b2f16f225bf465bbee6340560d75b7e5e8460afab86db23ec1989faa9f5fe1f182c047ba7a9dcbfcd7a299fa3b0103786f279b48bc20d1100b59b
- SSDEEP
  
  12288:0nONo4ehvLMuotC0NgicDPP2sBJ79D67KI04YCE+PhcimEwz8dQNHTcFpI2qjS:0nOPeFGhgicDnDRZBCEMcihwId+jT
Score

10^/10

modiloader trojan formbook bs92 persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

formbookmodiloaderbs92persistenceratspywarestealertrojan