General

  • Target

    Znuvgbtsedoszb.exe

  • Size

    2MB

  • Sample

    231203-ty9vlach78

  • MD5

    d726d57563144b62b4688cc12e34cfda

  • SHA1

    5ce5d9e655a8bc6bec4c5b823f1a2ad6bfeff327

  • SHA256

    83320be7f5851145e2f8713daeea3bcf5eff2ac87d63e6e47336f95ed22e91c8

  • SHA512

    010712d263144ae1cfd5a907ad66768fd8cf5b6654f80d8c8de7e136b73184a957000f3e022d473a49fb3432717068254fbb57a115eb803aad95b9d4288c6122

  • SSDEEP

    49152:Xm/PpH8yc0/wU2lpe63ZrxKrVEbRIqiPt411Fehg1mQzZ:XOpcyV/wjpdZrxEVEtI14xqnY

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fadc

Decoy

protechdream.com

faireco.life

bakrinhome.com

bustygirl.xyz

kbif.info

ningo.bond

hollywoodcircleevents.site

eapv-uabjo.com

852bets.com

nooption.online

global-strategy.pro

cartaonline.online

sacredbones2023.com

barsandbands.fun

liftchairs-info-mx.today

delamar.one

shuntianyuan.net

americanworldsolutions.com

julitv.net

criativax.com

Targets

    • Target

      Znuvgbtsedoszb.exe

    • Size

      2MB

    • MD5

      d726d57563144b62b4688cc12e34cfda

    • SHA1

      5ce5d9e655a8bc6bec4c5b823f1a2ad6bfeff327

    • SHA256

      83320be7f5851145e2f8713daeea3bcf5eff2ac87d63e6e47336f95ed22e91c8

    • SHA512

      010712d263144ae1cfd5a907ad66768fd8cf5b6654f80d8c8de7e136b73184a957000f3e022d473a49fb3432717068254fbb57a115eb803aad95b9d4288c6122

    • SSDEEP

      49152:Xm/PpH8yc0/wU2lpe63ZrxKrVEbRIqiPt411Fehg1mQzZ:XOpcyV/wjpdZrxEVEtI14xqnY

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Formbook payload

    • ModiLoader Second Stage

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks