formbook

General

Target

Inquiry Order.zip
Size

326KB
Sample

211007-eqjk4scafr
MD5

ffa8a5b2c9c01f863d6719cc75d958ea
SHA1

3adc3889741f9ce711d5fdd0a850a868c2dfebed
SHA256

cb14692eac3d5825fa466d731c8692b2ec6c1ea94e4c0ef515738844eeb91ec1
SHA512

6b720a9a751ae93e7ba777a27b735e7a855058dc5e99056291cdfe6b9956b93f200dd763df66eb2eba7a277a0a6701209ff2133555cebe6a1e394c1024cade2c

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b5ce

C2

http://www.rheilea.com/b5ce/

Decoy

advellerd.xyz

giasuvina.com

arab-xt-pro.com

ahsltu2ua4.com

trasportesemmanuel.com

kissimmeesoccercup.com

studyengland.com

m2volleyballclub.com

shyuehuan.com

elsml.com

blog-x-history.top

coditeu.com

allattachments.net

vigautruc.com

mentication.com

zambiaedu.xyz

filadelfiacenter.com

avlaborsourceinc.info

tameka-stewart.com

studio-cleo.com

Targets

- Target
  
  Inquiry Order.exe
- Size
  
  382KB
- MD5
  
  a5b0ce8922a255ec0365017fa0cb8ba8
- SHA1
  
  911b6222cf8c51f69f70923b13e3bbad0e0699f7
- SHA256
  
  417269750915b1599cde84c6af73f00f5dbb8be287b1b03dc34887e8eab1105f
- SHA512
  
  73be6f42fe620c1c65ea35f2408055eceba0ff11347b4a3dc4f6f55161b06335a65d7dd922aa53174a49de0075159eef5bca7df50e8b46ff83ba4fdf6bd39300
Score

10^/10

formbook xloader b5ce loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Xloader Payload

Adds policy Run key to start application

Blocklisted process makes network request

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2