formbook | c0a31c17baaae9d4fe88b19bbaec9fd55733552545692572082bd3c56a79a0fd | Triage

Submit
Reports

Overview

overview

Static

static

3

pdf.exe

windows7-x64

pdf.exe

windows10-2004-x64

Sharing

General

Target

pdf.exe
Size

1.9MB
Sample

231130-mbtfrsag2v
MD5

4c681a85055387f6680f9f329f425c45
SHA1

1347e0f77ff1b4fa3d58f15aa863a11bc7ffa9a6
SHA256

c0a31c17baaae9d4fe88b19bbaec9fd55733552545692572082bd3c56a79a0fd
SHA512

32513605638682426e1ac86663872aa5442d0e7f3e7cc196951691e97bc166dd4772d3f5afc3efc2ea6d2a92667eef3250db0a124b284ffa914cd4b6ce79cf18
SSDEEP

49152:Ad8fIwCjykkGo5ITnLK+Ey9S1qXtfRGHKpk3H8eiTwHFimH9jIrMKSIa+GGXHIf8:AdoIwkkrITnG69S1qXtfRGHKpk3H8ei9

Score

10^/10

formbook modiloader qh1n persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

pdf.exe

Resource

win7-20231023-en

modiloader trojan

windows7-x64

5 signatures

300 seconds

Behavioral task

behavioral2

Sample

pdf.exe

Resource

win10v2004-20231127-en

formbook modiloader qh1n persistence rat spyware stealer trojan

windows10-2004-x64

19 signatures

300 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

qh1n

Decoy

hyw0902destiny.xyz

mkquan.net

tisml8yn.top

norcliffecapital.com

dennemeyer-antipiracy.com

kastlosa.com

ghsdhzs.com

fdkeatlah.best

pvpvhhhvmk1z5r7.xyz

pumperwopingrld.com

traveloka.website

yunzhizhao.top

wtwvmemphis.com

aquaceen.com

flynovaa.info

qr-sens.events

yihetrading.com

miamipaintingcompany.com

kunikokaizu.shop

kapudianzi.com

als-bikeshop.com

grundse.com

nukinee.com

seven-heavens.net

bdxxfxukaoycsdv.buzz

loxodogeue.shop

developmi.com

otoland-presents.com

abdullahairinternational.com

supportcentredev.com

air-rifle.net

guangkang.net

97b.lat

chatgratis.host

glamourdiscussion.com

pcul9dhd.vip

jlhdesigns.shop

delivous.info

xy-v2ray.buzz

girlxinh69.net

lutesogroup.com

danijelamacura.com

ah0ubr7002.cfd

floralon.online

columbushighbaseballnews.com

rootstoreality.site

kimmizuno.net

zg9tywlubmftzw5ldzeznju.com

gma-sleekair.com

rmsuppliers.online

phundisk.online

hypelandpr.online

yuntingbao.net

word-brain.site

rstelecomjp.com

americandala.com

sistersuni9quedesigns.com

olimpiadent.com

i-plow.net

centralfloridashedmover.com

hamofy.live

downloadsstreams.com

clean-pro-services.com

vimuslifecare.com

ugcsr.com

Targets

- Target
  
  pdf.exe
- Size
  
  1.9MB
- MD5
  
  4c681a85055387f6680f9f329f425c45
- SHA1
  
  1347e0f77ff1b4fa3d58f15aa863a11bc7ffa9a6
- SHA256
  
  c0a31c17baaae9d4fe88b19bbaec9fd55733552545692572082bd3c56a79a0fd
- SHA512
  
  32513605638682426e1ac86663872aa5442d0e7f3e7cc196951691e97bc166dd4772d3f5afc3efc2ea6d2a92667eef3250db0a124b284ffa914cd4b6ce79cf18
- SSDEEP
  
  49152:Ad8fIwCjykkGo5ITnLK+Ey9S1qXtfRGHKpk3H8eiTwHFimH9jIrMKSIa+GGXHIf8:AdoIwkkrITnG69S1qXtfRGHKpk3H8ei9
Score

10^/10

modiloader trojan formbook qh1n persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook payload
  rat
- ModiLoader Second Stage
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

formbookmodiloaderqh1npersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy