formbook | 24b32fae45de625284629159956494fd1b33ca4a1210991c32ec9d176e3ac137 | Triage

Sharing

General

Target

d90dc4011ae0968a98859f42a06277d4.bin
Size

423KB
Sample

230507-cgdmdsca58
MD5

399ab88aaf06c9d2342c018b68223006
SHA1

71386d6abddf5bd8f4ac958a1cc728dd438daa3b
SHA256

24b32fae45de625284629159956494fd1b33ca4a1210991c32ec9d176e3ac137
SHA512

dce33571580ca2abef3130d2a0edb07dc85558d98271192ed30284101e57490f057d1e51ea925ff5755c049237a40467d7bec839c5e7f34f6e41d020c8a12af0
SSDEEP

6144:QruEZ2iaF7niwmVCgjZo4R4JKGdffte8iuU55Lcl3BLjF+JWcGqSpz3snLKUQiUG:QhZ2iOiwsrjX43dX066IccNiUJGS2mLc

Score

10^/10

formbook modiloader bs92 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bs92

Decoy

czwjss.top

delightpgener.top

jannicebnaturotherapies.com

emotionalsupportpandas.com

hotbrasil.shop

abc3k.com

dklending.com

dyxs30.com

474lakeshore4110.info

hdriole.xyz

comicswithaudio.com

hotmeetingsfree.club

albinadolova.ru

agrijan.com

dylane-cv.com

htctuan.com

jacketnorway.com

equora.ru

cloud11.store

olalekanadmin.africa

Targets

- Target
  
  Payment (2).exe
- Size
  
  957KB
- MD5
  
  2ebf7f5b65c0e71bf0f36e8e9bbde1c3
- SHA1
  
  94f3d18e57d6483c03cae67478bb559a2e3ae0f8
- SHA256
  
  c1d948fee0541e31cfa3affa9d99a6ad6cf287601f3ddae9238c3ca379a4686c
- SHA512
  
  e5ff1f5b652b2f16f225bf465bbee6340560d75b7e5e8460afab86db23ec1989faa9f5fe1f182c047ba7a9dcbfcd7a299fa3b0103786f279b48bc20d1100b59b
- SSDEEP
  
  12288:0nONo4ehvLMuotC0NgicDPP2sBJ79D67KI04YCE+PhcimEwz8dQNHTcFpI2qjS:0nOPeFGhgicDnDRZBCEMcihwId+jT
Score

10^/10

modiloader trojan formbook bs92 persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

formbookmodiloaderbs92persistenceratspywarestealertrojan