formbook | 7716fec715a46b0eb4518d53703b0fc2186e6a473a876de7aee9155ec289f93a | Triage

Submit
Reports

Overview

overview

Static

static

1

ORDER N. 1487.exe

windows7_x64

ORDER N. 1487.exe

windows10_x64

Sharing

General

Target

ORDER N. 1487.exe
Size

334KB
Sample

211022-n7fp8abeh2
MD5

08ae4dd275718d077172abb99be15464
SHA1

cf99068f0ea4acafc515fbe334a71e62401ac757
SHA256

7716fec715a46b0eb4518d53703b0fc2186e6a473a876de7aee9155ec289f93a
SHA512

6fca40792388c3047701dd1a24854b420aaba8fb194dee35b58cecdaf57a65f6f843b77fe4ce1d89aee8cfd553d516afd76cefbc1b96349d3890015f191d1d42

Score

10^/10

formbook xloader u3ja loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

ORDER N. 1487.exe

Resource

win7-en-20210920

xloader u3ja loader rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ORDER N. 1487.exe

Resource

win10-en-20211014

formbook xloader u3ja loader persistence rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u3ja

C2

http://www.global-shopings.com/u3ja/

Decoy

emiratescomm.net

whattodotenerife.com

bspq-jlcd.com

torobesttanker.info

projectcentered.com

agglog.com

francesbypoppy.com

lakenormanpilates.net

chaseatms.com

bendarlingart.com

blogjust.xyz

wodeluzhou.com

p6ynwcxrxetb.biz

servpix.com

eddysearthmoving.com

rvafootcarenurses.com

contessa.store

jasonconcerttickets.com

umldbe.xyz

noroesteremotos.online

camirraskitchen.com

waigua233.com

hardheadedrhino.com

kompidroid.com

the-brass-manual.com

omniahgames.com

ultimateautomations.com

faroutfarrah.com

yuhaoguoji.com

jihengzhiye.com

7408124.top

isee-electricity.com

ningxing.net

pereiraville.com

megavideos.online

891817.com

sonoranoasissandtpark.com

mypc.host

journee-interimaire.net

bigizy.com

aojinhl.com

dgjhccz.com

cursinhodemarketing.online

cetalimited.com

dreamworthyacademy.com

sportbota.com

nbibiosciences.com

e2adriasec.online

pzmods.xyz

vocserv.com

nudeteenstube.com

massparadigm.com

hsfdev.com

cincinnatiworship.com

nutri6si.com

8307ephraim.com

yoda.host

serkgmz.store

2bw3t.online

televizyonborsasi.online

babysmileuae.com

gzsxbz.com

qxzu9.website

ricardoangulo.com

Targets

- Target
  
  ORDER N. 1487.exe
- Size
  
  334KB
- MD5
  
  08ae4dd275718d077172abb99be15464
- SHA1
  
  cf99068f0ea4acafc515fbe334a71e62401ac757
- SHA256
  
  7716fec715a46b0eb4518d53703b0fc2186e6a473a876de7aee9155ec289f93a
- SHA512
  
  6fca40792388c3047701dd1a24854b420aaba8fb194dee35b58cecdaf57a65f6f843b77fe4ce1d89aee8cfd553d516afd76cefbc1b96349d3890015f191d1d42
Score

10^/10

xloader u3ja loader rat formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderu3jaloaderrat

behavioral2

formbookxloaderu3jaloaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy