formbook

General

Target

Minutes of Meeting 23.10.2021.r00
Size

624KB
Sample

211025-bc9zcsgdbn
MD5

80d6bc0f08977b8ab0e2c2ec2b7532d9
SHA1

7ac57360bb6cab60be02a74abd7d63dc0d35c02b
SHA256

18716438acba2b561bea9540e95684f7730690fc302fe0c354c778a9ddffe3df
SHA512

ed1314e17f4173a060db04be270657dcd8a9acf4e317ce7f1a033d0112828dd7c71261698b0bb16ecdd8e3b2f4c65a6b0e5d1156bd5683c3ad5f257fea8201d6

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

snec

C2

http://www.go2payme.com/snec/

Decoy

sacramentoscoop.com

auroraeqp.com

ontactfactory.com

abenakigroup.com

xander-tech.com

cocaineislegal.com

carbondouze.com

louisvilleestatelawyer.com

sundaytejero.quest

arti-faqs.com

thisandthat.store

biodyne-el-salvador.com

18504seheritageoakslane.com

mfialias.xyz

whitestoneclo.com

6288117.com

oficiosuy.com

autogift.xyz

wallbabyshell.com

chaletlabaie.com

Targets

- Target
  
  Minutes of Meeting 23.10.2021.exe
- Size
  
  689KB
- MD5
  
  491dde53e267c765b4d8bebd697ec18c
- SHA1
  
  fc00a77492a1a824965a730a1144b1360ac18b96
- SHA256
  
  2c32280be865e3af57719b11ea9b1fd1c6e25f6a7292fb4f0932cd6f1c231ca1
- SHA512
  
  c3b5a3e3dfb83b022aaeb4c5d26b163aee21d5c8efbf7634a18e5fb13a81b299f516321d0cee8f5da529856c8897d440d58a63b94edc3177c3b52653fcba7ac7
Score

10^/10

xloader snec loader rat suricata formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Executes dropped EXE
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Xloader Payload

Executes dropped EXE

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2