formbook | eec96529834b477322282fdc1f9a976905677cd0e57389b81fd7039247515568 | Triage

Submit
Reports

Overview

overview

Static

static

1

UPStrackin...92.exe

windows7_x64

UPStrackin...92.exe

windows10_x64

Sharing

General

Target

UPStracking0940292.iso
Size

318KB
Sample

210929-j6g5faeddl
MD5

f9ef284b19180b1e1309464d44656d5a
SHA1

272d01b699facc5961709f405ad242be8406dd83
SHA256

eec96529834b477322282fdc1f9a976905677cd0e57389b81fd7039247515568
SHA512

1ba81e15b90309f4d72f9ebfcd14c653e3490584ef129bd19ba725b4f7cbe87fa60705eed1c44918048f18af6bf0b0789aeb8177d445d9dc5005f2c76fb6536f

Score

10^/10

formbook xloader dhua loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

UPStracking0940292.exe

Resource

win7-en-20210920

formbook xloader dhua loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

UPStracking0940292.exe

Resource

win10v20210408

formbook xloader dhua loader persistence rat spyware stealer suricata trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dhua

C2

http://www.segurosramosroman.com/dhua/

Decoy

ketostar.club

icanmakeyoufamous.com

claimygdejection.com

garlicinterestedparent.xyz

bits-clicks.com

030atk.xyz

ballwiegand.com

logs-illumidesk.com

785686.com

flnewsfeed.com

transporteshrj.net

agenciamundodigital.online

bowersllc.com

urchncenw.com

wuauwuaumx.com

littlesportsacademy.com

xn--m3chb3ax0abdta3fwhk.com

prmarketings.com

jiaozhanlianmeng.com

whenisthestore.space

ventureagora.net

ditrixmed.store

gitlab-tamskillpage.com

samgravikasnidhi.com

lenti4you.com

reviewallstarscommerce.com

nissimarble.com

md2px.xyz

tristarelectronics.net

you11.net

vaccinationfraud.xyz

bu3helo.com

marcellcheckpoint.com

hassinkandroos.com

socw.quest

screenedscooptoknow-today.info

aciburada.com

edimacare.com

smokenation.net

elga-groupinc.com

26dgj.xyz

chandleenews.com

sugarcanemultisport.com

nichellejonesrealtor.com

architektschnur.com

atehgroup.com

ocoeeboys.com

zanesells.com

878971.com

infringement-notice.com

orzame.com

darlindough.com

bwpassionenterprise.com

switchress.com

willcowblog.online

rsyncpalace.com

ayderstudio.com

ascotintrenational.com

omeducationhelp.com

kimberleydawnwallace.com

thereisnooneway.com

marketobserve.com

sildenafilnrx.com

willowbaldwin.com

Targets

- Target
  
  UPStracking0940292.exe
- Size
  
  256KB
- MD5
  
  ecad1092417fae79942a0022ce770621
- SHA1
  
  661d76ff20089a6926c95a934b4619baefd230c5
- SHA256
  
  86ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757
- SHA512
  
  9a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7
Score

10^/10

formbook xloader dhua loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderdhualoaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloaderdhualoaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy