Overview

overview

10

Static

static

3

ordine pdf.exe

windows7-x64

10

ordine pdf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ordine pdf.exe.xz

  • Size

    294KB

  • Sample

    230620-sngwdsea2z

  • MD5

    77ae30927b642d4b20e0a94ab41c490e

  • SHA1

    864096ae704c108726ec130529b4b4c4423180fd

  • SHA256

    8b18f940c3bf89cccdd8d2a874b02ef467af7bbad01e4cea7336540c41769e04

  • SHA512

    c54c5815b0edc1a7f793e73d844dab472222093d7386e4aa37d2c53722e4bf07d7dc26560492a0bd0a1acfe38624b089cc2e075d4945b399f039c3e650c3d939

  • SSDEEP

    6144:Oy6s42F812J1aGQY6EdQyS/dWxCnvRhQZ8w3Yx09ryR+dOIMtISsfo3:EsBG1yV0dWxCnvRmIx09r5dOI6ISsfo3

Score
10/10
formbookmodiloaderges9persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ges9

Decoy

lolofestival.store

amzin.info

pulsahokii.xyz

bahiszirve.com

animekoe.com

kansastaxaccountant.net

howgoodisgod.online

medakaravan.xyz

pesmagazine.net

americanpopulist.info

nepalihandicraft.com

mariabakermodeling.com

cavify.top

onlinewoonboulevard.com

furniture-22830.com

ophthalmicpersonneltraining.us

yz1204.com

extrawhite.site

tomo.store

martfind.online

Targets

    • Target

      ordine pdf.exe

    • Size

      765KB

    • MD5

      e5d280126390518473146d3a8b7818e1

    • SHA1

      3af84d1a32b1a834e9d74ad8743d835ab00b3702

    • SHA256

      323dc9de135c89b75b7a42b2c5a6327e09acafe52c035464316e170f3f55b6ac

    • SHA512

      a1849d82d202105aded3ae93ec9a7b12366f6112f87fa8adbefc6f440569ebc00052ef4e0317eeaa03998a359a501e5946b5903daf4229317b6ee688ee4deffb

    • SSDEEP

      12288:NEdx8epMpDHeLp0ewAKOXCcfPHEl20/WAN9PuCCJQppO70an:NIdytHe1hFzfPHAxPa7b

    Score
    10/10
    modiloadertrojanformbookges9persistenceratspywarestealer

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook payload

      rat

    • ModiLoader Second Stage

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks