formbook | 2e131aa557409091807243581a73ca6f0baf55a2686896480554061f68915558 | Triage

Submit
Reports

Overview

overview

Static

static

0009758354.xlsx

windows7_x64

0009758354.xlsx

windows10_x64

1

Sharing

General

Target

0009758354.xlsx
Size

2.3MB
Sample

201216-4acgd83eke
MD5

08f37c449a77887454ce87781d42a454
SHA1

250c4b3b6c284481ac33c7942306636b9df1b7a3
SHA256

2e131aa557409091807243581a73ca6f0baf55a2686896480554061f68915558
SHA512

f89759bdb7c1d9ee4d665b63400014726c749d2e1269603394672a40098b96441758029d63f1d5dd3fe2cec0f07457dbf83c13c97f8e2515f3bfa9b7e0e509f9

Score

10^/10

formbook modiloader xloader loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

0009758354.xlsx

Resource

win7v20201028

formbook modiloader xloader loader persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

0009758354.xlsx

Resource

win10v20201028

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

C2

http://www.herbmedia.net/csv8/

Decoy

slgacha.com

oohdough.com

6983ylc.com

aykassociate.com

latin-hotspot.com

starrockindia.com

beamsubway.com

queensboutique1000.com

madbaddie.com

bhoomimart.com

ankitparivar.com

aldanasanchezmx.com

citest1597669833.com

cristianofreitas.com

myplantus.com

counterfeitmilk.com

8xf39.com

pregnantwomens.com

yyyut6.com

stnanguo.com

fessusesefsee.com

logansshop.net

familydalmatianhomes.com

accessible.legal

epicmassiveconcepts.com

indianfactopedia.com

exit-divorce.com

colliapse.com

nosishop.com

hayat-aljowaily.com

soundon.events

previnacovid19-br.com

traptlongview.com

splendidhotelspa.com

masterzushop.com

ednevents.com

studentdividers.com

treningi-enduro.com

hostingcoaster.com

gourmetgroceriesfast.com

thesouthbeachlife.com

teemergin.com

fixmygearfast.com

arb-invest.com

shemaledreamz.com

1819apparel.com

thedigitalsatyam.com

alparmuhendislik.com

distinctmusicproductions.com

procreditexpert.com

insights4innovation.com

jzbtl.com

1033325.com

sorteocamper.info

scheherazadelegault.com

glowportraiture.com

cleitstaapps.com

globepublishers.com

stattests.com

brainandbodystrengthcoach.com

magenx2.info

escaparati.com

wood-decor24.com

travelnetafrica.com

Targets

- Target
  
  0009758354.xlsx
- Size
  
  2.3MB
- MD5
  
  08f37c449a77887454ce87781d42a454
- SHA1
  
  250c4b3b6c284481ac33c7942306636b9df1b7a3
- SHA256
  
  2e131aa557409091807243581a73ca6f0baf55a2686896480554061f68915558
- SHA512
  
  f89759bdb7c1d9ee4d665b63400014726c749d2e1269603394672a40098b96441758029d63f1d5dd3fe2cec0f07457dbf83c13c97f8e2515f3bfa9b7e0e509f9
Score

10^/10

formbook modiloader xloader loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookmodiloaderxloaderloaderpersistenceratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy