formbook | 559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c | Triage

Submit
Reports

Overview

overview

Static

static

1

RFQ8943.pdf.exe

windows7_x64

RFQ8943.pdf.exe

windows10_x64

Sharing

General

Target

RFQ8943.pdf.exe
Size

276KB
Sample

210923-q5sccaedgm
MD5

89e074f1f6ffd1421078fdab1a00ab5d
SHA1

a5c4d75dbbe10ed36f1ffaba930456592e268169
SHA256

559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c
SHA512

2992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1

Score

10^/10

formbook xloader dhua loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

RFQ8943.pdf.exe

Resource

win7-en-20210920

xloader dhua loader persistence rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

RFQ8943.pdf.exe

Resource

win10-en-20210920

formbook xloader dhua loader persistence rat spyware stealer suricata trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dhua

C2

http://www.segurosramosroman.com/dhua/

Decoy

ketostar.club

icanmakeyoufamous.com

claimygdejection.com

garlicinterestedparent.xyz

bits-clicks.com

030atk.xyz

ballwiegand.com

logs-illumidesk.com

785686.com

flnewsfeed.com

transporteshrj.net

agenciamundodigital.online

bowersllc.com

urchncenw.com

wuauwuaumx.com

littlesportsacademy.com

xn--m3chb3ax0abdta3fwhk.com

prmarketings.com

jiaozhanlianmeng.com

whenisthestore.space

ventureagora.net

ditrixmed.store

gitlab-tamskillpage.com

samgravikasnidhi.com

lenti4you.com

reviewallstarscommerce.com

nissimarble.com

md2px.xyz

tristarelectronics.net

you11.net

vaccinationfraud.xyz

bu3helo.com

marcellcheckpoint.com

hassinkandroos.com

socw.quest

screenedscooptoknow-today.info

aciburada.com

edimacare.com

smokenation.net

elga-groupinc.com

26dgj.xyz

chandleenews.com

sugarcanemultisport.com

nichellejonesrealtor.com

architektschnur.com

atehgroup.com

ocoeeboys.com

zanesells.com

878971.com

infringement-notice.com

orzame.com

darlindough.com

bwpassionenterprise.com

switchress.com

willcowblog.online

rsyncpalace.com

ayderstudio.com

ascotintrenational.com

omeducationhelp.com

kimberleydawnwallace.com

thereisnooneway.com

marketobserve.com

sildenafilnrx.com

willowbaldwin.com

Targets

- Target
  
  RFQ8943.pdf.exe
- Size
  
  276KB
- MD5
  
  89e074f1f6ffd1421078fdab1a00ab5d
- SHA1
  
  a5c4d75dbbe10ed36f1ffaba930456592e268169
- SHA256
  
  559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c
- SHA512
  
  2992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1
Score

10^/10

xloader dhua loader persistence rat suricata formbook spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderdhualoaderpersistenceratsuricata

behavioral2

formbookxloaderdhualoaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy