formbook | 1ea2c02f87744c96ef37390bbc851ddffde8cf691356a07810e590056acf7556 | Triage

Submit
Reports

Overview

overview

Static

static

1

BERN210819.exe

windows7_x64

7

BERN210819.exe

windows10_x64

Sharing

General

Target

BERN210819.iso
Size

676KB
Sample

210924-jeg1csgce7
MD5

bf0fa800da0b41c08785cacccff2b706
SHA1

1262a781fe1fcac8ce1c703ca08ce911fafa92ec
SHA256

1ea2c02f87744c96ef37390bbc851ddffde8cf691356a07810e590056acf7556
SHA512

9a098890c4c9176934df38ccba02c345b0d110d44f78956f279921be5bccd6e4d31b314c70ee2bc5ab6fad8574d187e89846df78b5d0bf593a2dbdc0b183f71c

Score

10^/10

formbook xloader dhua loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

BERN210819.exe

Resource

win7-en-20210920

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

BERN210819.exe

Resource

win10-en-20210920

formbook xloader dhua loader persistence rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dhua

C2

http://www.segurosramosroman.com/dhua/

Decoy

ketostar.club

icanmakeyoufamous.com

claimygdejection.com

garlicinterestedparent.xyz

bits-clicks.com

030atk.xyz

ballwiegand.com

logs-illumidesk.com

785686.com

flnewsfeed.com

transporteshrj.net

agenciamundodigital.online

bowersllc.com

urchncenw.com

wuauwuaumx.com

littlesportsacademy.com

xn--m3chb3ax0abdta3fwhk.com

prmarketings.com

jiaozhanlianmeng.com

whenisthestore.space

ventureagora.net

ditrixmed.store

gitlab-tamskillpage.com

samgravikasnidhi.com

lenti4you.com

reviewallstarscommerce.com

nissimarble.com

md2px.xyz

tristarelectronics.net

you11.net

vaccinationfraud.xyz

bu3helo.com

marcellcheckpoint.com

hassinkandroos.com

socw.quest

screenedscooptoknow-today.info

aciburada.com

edimacare.com

smokenation.net

elga-groupinc.com

26dgj.xyz

chandleenews.com

sugarcanemultisport.com

nichellejonesrealtor.com

architektschnur.com

atehgroup.com

ocoeeboys.com

zanesells.com

878971.com

infringement-notice.com

orzame.com

darlindough.com

bwpassionenterprise.com

switchress.com

willcowblog.online

rsyncpalace.com

ayderstudio.com

ascotintrenational.com

omeducationhelp.com

kimberleydawnwallace.com

thereisnooneway.com

marketobserve.com

sildenafilnrx.com

willowbaldwin.com

Targets

- Target
  
  BERN210819.exe
- Size
  
  614KB
- MD5
  
  5bc6fa2221eed7444ea7d51dea3d1b4e
- SHA1
  
  e7509c6facf6b09971739123aeacd555d9fb64b5
- SHA256
  
  8d20c36d499a614206967f9ffe68885a78aa2e7c718512a31b185bbaa529a4f6
- SHA512
  
  b5d9efc7070a38d6d4dcbc015a931c6a5bc45356879abe118bf55b4f366533ca47fd94527c4e2ceb225ad3d2e34f0e7c4f7d59e1d0d4f18483dfcb9abab406d4
Score

10^/10

formbook xloader dhua loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

formbookxloaderdhualoaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy