formbook

General

Target

PRS TT copy_pdf.exe
Size

297KB
Sample

210114-kh6g2wxs9s
MD5

c19720396e3a0517b1c3e9c75dcab551
SHA1

ceb4ae7e086ebfed538632b9413b7f61c23f6151
SHA256

147690957c45aafb5929325a902f5c45e9b3a9845f0c9b273bd1e08f5e327d12
SHA512

a16e89c0a6112c1bd0eb75b61337e99ccd68b19b89e6cbbfcc6baa0bcaaffe6cabc209662240d0c929205c67d0ae5822e85b43be5f9d3b7cb62b947b890f00fc

Score

10^/10

Malware Config

Extracted

Family

formbook

C2

http://www.destinny.com/s9zh/

Decoy

paintedinafrica.com

electrumfix.download

edlange.com

tqiawy.xyz

satiscenter.xyz

nc-affiliates.com

agencybuilderforum.com

testabcde.net

venisseturf.net

rubenvdsande.com

nzmatrimony.com

mdthriftsandflips.com

virtualfxstudio.com

communityinsuranceut.com

qqbokep.com

copeva.net

bookedupdaily.com

houstongrowmyairway.com

fortunapublishing.com

empireplumbingandheating.com

Targets

- Target
  
  PRS TT copy_pdf.exe
- Size
  
  297KB
- MD5
  
  c19720396e3a0517b1c3e9c75dcab551
- SHA1
  
  ceb4ae7e086ebfed538632b9413b7f61c23f6151
- SHA256
  
  147690957c45aafb5929325a902f5c45e9b3a9845f0c9b273bd1e08f5e327d12
- SHA512
  
  a16e89c0a6112c1bd0eb75b61337e99ccd68b19b89e6cbbfcc6baa0bcaaffe6cabc209662240d0c929205c67d0ae5822e85b43be5f9d3b7cb62b947b890f00fc
Score

10^/10

formbook xloader loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Uses the VBS compiler for execution
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

Xloader Payload

Uses the VBS compiler for execution

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2