formbook

General

Target

Invoice && Packing.r15
Size

546KB
Sample

210915-t7tvqsbab9
MD5

b333cf0e3ac2dbc45aec380e5bd50719
SHA1

28cb53895e180a86b969d0ee084194cdf9a294ad
SHA256

1aa5d2b240599fdc78430c4aeba03305fccad15b7ca038dbf056d8dd67865892
SHA512

0929966ee321bb7cbdb81214e5493ebcadf6403a9d82f1499a12df2aeb52dab9b7483aa88d29d618cccbc99105aa48299080237204d75609e4268255cd72ed45

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.4

Campaign

t75f

C2

http://www.438451.com/t75f/

Decoy

ice-lemon.pro

ar3spro.cloud

9055837.com

fucksociety.net

prettyofficialx.com

mfxw.xyz

relationshipquiz.info

customia.xyz

juanayjuan.com

zidiankj.com

facture-booking.com

secondmining.store

aboutyou.club

gongxichen.com

laurabraincreative.com

pierrot-bros.com

saintpaulaccountingservices.com

dom-maya.com

garderobamarzen.net

la-salamandre-assurances.com

Targets

- Target
  
  TPJX2QwEdXs5sTV.exe
- Size
  
  655KB
- MD5
  
  ce556ce97ea23cbc2940f2aad45d468f
- SHA1
  
  cc2bdaefa2f0ac108e2f456e42a42e8258580cf4
- SHA256
  
  7c3d5ebd2c417a52b2a0b98dee95b5a7f283816f6a2453ceeffd31becc140882
- SHA512
  
  82d4d71aeb5118d600394c64eb127ca4a87d7b83702feb4f9c5b0a0d98a597f812ebfd16784cbde54b9f4b1c87d3c7eaf57fb1c86b9720df95419887fc13f77b
Score

10^/10

xloader t75f loader rat formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

Xloader Payload

Adds policy Run key to start application

Executes dropped EXE

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2