Overview

overview

10

Static

static

3

d164c7ce38...b2.exe

windows7-x64

10

d164c7ce38...b2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d164c7ce3856705552a7dcd91f577c12162d5eb522153e33e91f86536cac5fb2.exe

  • Size

    2.3MB

  • Sample

    231201-xxkqvsfd81

  • MD5

    072d323c28e7ba4d63eb7df9894f33c9

  • SHA1

    cf6a2b1ba98bf303e93b4070919ec1cd30262377

  • SHA256

    d164c7ce3856705552a7dcd91f577c12162d5eb522153e33e91f86536cac5fb2

  • SHA512

    348e888f90e8582be54acc4c39d9531ec333a3f9deb5c7cc1c4d6dbf2cc094cbb744438d87d6d3a2357d2e2be7141412744287249b465eb39217a3f0cffb0a23

  • SSDEEP

    49152:UkQzWGa8pH8yc0/wU2lpe63ZrxKrVEbRIqiPt415Fehg1mQ5C:UNqGa8pcyV/wjpdZrxEVEtI14xqn

Score
10/10
formbookmodiloaderao65persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ao65

Decoy

spins2023.pro

foodontario.com

jsnmz.com

canwealljustagree.com

shopthedivine.store

thelakahealth.com

kuis-raja-borong.website

hbqc2.com

optimusvisionlb.com

urdulatest.com

akhayarplus.com

info-antai-service.com

kermisbedrijfkramer.online

epansion.com

gxqingmeng.top

maltsky.net

ictwath.com

sharmafootcare.com

mycheese.net

portfoliotestkitchen.com

Targets

    • Target

      d164c7ce3856705552a7dcd91f577c12162d5eb522153e33e91f86536cac5fb2.exe

    • Size

      2.3MB

    • MD5

      072d323c28e7ba4d63eb7df9894f33c9

    • SHA1

      cf6a2b1ba98bf303e93b4070919ec1cd30262377

    • SHA256

      d164c7ce3856705552a7dcd91f577c12162d5eb522153e33e91f86536cac5fb2

    • SHA512

      348e888f90e8582be54acc4c39d9531ec333a3f9deb5c7cc1c4d6dbf2cc094cbb744438d87d6d3a2357d2e2be7141412744287249b465eb39217a3f0cffb0a23

    • SSDEEP

      49152:UkQzWGa8pH8yc0/wU2lpe63ZrxKrVEbRIqiPt415Fehg1mQ5C:UNqGa8pcyV/wjpdZrxEVEtI14xqn

    Score
    10/10
    modiloadertrojanformbookao65persistenceratspywarestealer

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook payload

      rat

    • ModiLoader Second Stage

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks