formbook | 768a13d336ce62e221c5228b84d9b98446f936ed9f29d0a7b281214cd7065617 | Triage

Submit
Reports

Overview

overview

Static

static

1

XXX00954345678LK.exe

windows7_x64

XXX00954345678LK.exe

windows10_x64

Sharing

General

Target

XXX00954345678LK.GZ
Size

245KB
Sample

211019-lwbwsagdhr
MD5

a86af64e2bc80c21801c4d46158149bf
SHA1

553251be4574e0c35b9de352df46977e881dd176
SHA256

768a13d336ce62e221c5228b84d9b98446f936ed9f29d0a7b281214cd7065617
SHA512

bdfcc53d5d878a14e8a18fa8ad56aeb951aea577307d34cd7945cdf39e42777bee2345f6451a3e3d593676b5b844a6654caddc8a7cd93ebd443383ba73dc48e0

Score

10^/10

formbook xloader iaop loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

XXX00954345678LK.exe

Resource

win7-en-20210920

xloader iaop loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

XXX00954345678LK.exe

Resource

win10-en-20211014

formbook xloader iaop loader persistence rat spyware stealer suricata trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

iaop

C2

http://www.georgeinnhatherleigh.com/iaop/

Decoy

oosakichi.com

group1beadles.com

navegadorexclusivo.digital

awefca.xyz

strakerwilliams.com

stone-img.com

radialodge.com

tequesquitengo.net

humanegardens.com

rubberyporqjp.xyz

farazkhak.com

gfsexpornvideos.com

stealth-carrier.com

hemtpi.xyz

tygcj.com

agileiance.com

ioan316.com

kitchendesigns.xyz

shannacarolphotography.com

oheytech88.net

dashiter.com

zijinmenhu.com

dmfiller.com

amberchee.com

farmaciaepspllu.com

help-kmcsupport.com

naxek.com

yuumgo.academy

baopishuizhong.com

appcast-64.com

vpm-vektra.com

privygym.com

texascyclerepair.com

queerstakepool.com

maxicashprokil.xyz

enchantbnuyxc.xyz

heyunshangcheng.info

blockchainsupport.company

consultoriathayanechlad.com

cigreencig.com

enriquelopez.net

ultimateexitstrategy.com

jesuspodcast.biz

wecuxs.com

louroblottoyof2.xyz

12monthmillionairetraining.com

autoecoleamiens.com

kokko-kids.com

uniquecarbonbrush.com

fardaruilen.quest

generalcontractortheodoreal.com

kare-furniture.com

odnglobal.com

rihaltravels.com

jdlpcpa.com

websupportoutlook.com

sonyagivensrealty.com

johnmcnamaraimages.net

fa7777.xyz

northvisiondigital.com

docteurhouyengah.com

contactcenter7.email

lebenohnefleisch.com

sign-egypt.com

Targets

- Target
  
  XXX00954345678LK.exe
- Size
  
  412KB
- MD5
  
  7efcc253b788f264320f6f7f3afbbaff
- SHA1
  
  5c25530ed2eb2dff34056aa855bd16e6aef9c3a9
- SHA256
  
  6fa43d41bcec83773fa6f333655029d886633b7a46153d9f7ffbe3c44de19be9
- SHA512
  
  aa410052ea52603c1ce87b4b696c62db540e0b903f618aa9384be09efd16c50acad654e8edd908b4724f8caa35e02cdaf125397d2a1c48acb305f7d4363d620e
Score

10^/10

xloader iaop loader rat suricata formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderiaoploaderratsuricata

behavioral2

formbookxloaderiaoploaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy