formbook

General

Target

FE9E42756C3DEBA5DDB89FC5D2BF462CDF256F9A1D3A5BD4C21E05B81B025334
Size

322KB
Sample

230718-zjnlpsdg49
MD5

cfb0f4257f4f5dceac3bf02b42f87788
SHA1

301e23efee16c6d12dbb2a2b730ed6f89b1875f0
SHA256

fe9e42756c3deba5ddb89fc5d2bf462cdf256f9a1d3a5bd4c21e05b81b025334
SHA512

3032118eb7de6047071206e3df8796165c9691be70e141a9fc8d6b59b92ba9c7e60fed750da692057ebec23cd365308a23728e69c41011438a6e712bc26427eb
SSDEEP

6144:Oo6XNdK/HpcITEQ9Q5Qosy6w+o8GhSp+7eipwNVyC721OEJ:OvdK/eITB6f4w+ofXkVyC7GOc

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t3c9

Decoy

shadeshmarriagemedia.com

e-russ.com

sofiashome.com

theworriedwell.com

americantechfront.com

seasonssparkling.com

maximuscanada.net

tifin-private-markets.com

amecc2.net

xuexi22.icu

injectiontek.com

enrrocastoneimports.com

marvelouslightcandleco.com

eaamedia.com

pmediaerp.com

tikivips111.com

chesterfieldcleaningcare.com

thecrowdedtablemusic.com

duncanvillepanthers.com

floriculturajoinville.xyz

Targets

- Target
  
  FE9E42756C3DEBA5DDB89FC5D2BF462CDF256F9A1D3A5BD4C21E05B81B025334
- Size
  
  706KB
- MD5
  
  541f275dba8fef52479d9163bb9550cd
- SHA1
  
  da59e93e565c0799800c1a2f69fff88bee649ad4
- SHA256
  
  d1d06d5235a82595d7790543cfeade698af451c8b6baaf40f8cb3734b4e4be8d
- SHA512
  
  b1ad21e39b7f1f5ee3289f99752aadd94be233465f1de6c312b967b1ab64abf1343c3228fb2cb1416a971067f98e0abefd0b657f6a04daddb74c1f785d881cd1
- SSDEEP
  
  12288:mTlUbdpW5/5o8FF2FENOeqBWJz4RC7A2tkCizoHm8gn7hQEL:mTqC/5otAqYOo82tkCizoH9gnGE
Score

10^/10

modiloader trojan formbook t3c9 persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Formbook payload

ModiLoader Second Stage

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2