formbook | 0aafe6b3993e50e58efde794bd8ba2f5eb9b69674918c57546a10e40103ba940 | Triage

Sharing

General

Target

BSL 21 PYT.xlsx
Size

2.5MB
Sample

210112-gw17lnv4rx
MD5

a54193468101d99a1d194d8feac6476c
SHA1

e861bbf690146940f82b13f09e07f2da338e7885
SHA256

0aafe6b3993e50e58efde794bd8ba2f5eb9b69674918c57546a10e40103ba940
SHA512

1a6397ee5a981552096f8688288804feb221ed2f0e08f4511d875bec0b4261fbf743bdb110d9ddcd534fcf27813e65bedeaf43d52eae4134ac2c1c6e227c9e83

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.stonescapes1.com/de92/

Decoy

zindaginews.com

tyelevator.com

schustermaninterests.com

algemixdelchef.com

doubscollectivites.com

e-butchery.com

hellbentmask.com

jumbpprivacy.com

teeniestiedye.com

playfulartwork.com

desertvacahs.com

w5470-hed.net

nepalearningpods.com

smoothandsleek.com

thecannaglow.com

torrentkittyla.com

industrytoyou.com

raquelvargas.net

rlc-nc.net

cryptoprises.com

Targets

- Target
  
  BSL 21 PYT.xlsx
- Size
  
  2.5MB
- MD5
  
  a54193468101d99a1d194d8feac6476c
- SHA1
  
  e861bbf690146940f82b13f09e07f2da338e7885
- SHA256
  
  0aafe6b3993e50e58efde794bd8ba2f5eb9b69674918c57546a10e40103ba940
- SHA512
  
  1a6397ee5a981552096f8688288804feb221ed2f0e08f4511d875bec0b4261fbf743bdb110d9ddcd534fcf27813e65bedeaf43d52eae4134ac2c1c6e227c9e83
Score

10^/10

formbook xloader loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookxloaderloaderratspywarestealertrojan

behavioral2