Overview

overview

10

Static

static

3

ncopia_del...xe.exe

windows7-x64

10

ncopia_del...xe.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ncopia_della_richiesta_PDF_exe.xz

  • Size

    294KB

  • Sample

    230619-wxk6ysgf51

  • MD5

    f08796344aab6d080197de73a089e441

  • SHA1

    8249b39e3b3a68ed43a26453390e62ea89a3b15c

  • SHA256

    ff484f716796a61f6448c1f060de1129c063777c5370053aef71eb0f0c84b396

  • SHA512

    cf39e5334907a4c0b3ad0a9662485e42021a67d10afb613944a2459d88b426985751aa9f5bb7e53d2877411881f4bbc5a924afaaaaa70e533fc836faa474de2f

  • SSDEEP

    6144:Oy6s42F812J1aGQY6EdQyS/dWxCnvRhQZ8w3YK0QugYYpWHGmpqG1e:EsBG1yV0dWxCnvRmIK0QNYLgGI

Score
10/10
formbookmodiloadert3c9persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t3c9

Decoy

shadeshmarriagemedia.com

e-russ.com

sofiashome.com

theworriedwell.com

americantechfront.com

seasonssparkling.com

maximuscanada.net

tifin-private-markets.com

amecc2.net

xuexi22.icu

injectiontek.com

enrrocastoneimports.com

marvelouslightcandleco.com

eaamedia.com

pmediaerp.com

tikivips111.com

chesterfieldcleaningcare.com

thecrowdedtablemusic.com

duncanvillepanthers.com

floriculturajoinville.xyz

Targets

    • Target

      ncopia_della_richiesta_PDF_exe

    • Size

      765KB

    • MD5

      6e8e90bf7aca0f8dfe34677650241d38

    • SHA1

      b70843655e29c3da8818ef3559bd4266da1bde3d

    • SHA256

      21e7cb5b28421ec52257e62cbecffb48edf4c8fe2e187cf9459aa18bc965ce20

    • SHA512

      b88af3aaaafb50911da236d68b6bdd575032dafd009aba8ebb2d53a340c5362163ee65a0ceaf044ce9de25eacf0bdb68af2dd56fc77d4e1543edbb8742faa039

    • SSDEEP

      12288:NEdx8epMpDHeLp0ewAKOXCYfPHEl20/WAN9PuCCJQppO70an:NIdytHe1hFXfPHAxPa7b

    Score
    10/10
    modiloadertrojanformbookt3c9persistenceratspywarestealer

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook payload

      rat

    • ModiLoader Second Stage

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks