formbook | 5f3775f376c0ba2a894657f291b45e3d9a0a9ecd6a93162141dda0b9e9bc6e04 | Triage

Submit
Reports

Overview

overview

Static

static

1

PAIEMENT1.exe

windows7_x64

PAIEMENT1.exe

windows10_x64

Sharing

General

Target

PAIEMENT1.zip
Size

304KB
Sample

211110-xzf6fsfbhq
MD5

45a2cc28f8b1d455e867b376c57cad79
SHA1

831dd28eef758e1dbc56bd68a43bb6d2e6496878
SHA256

5f3775f376c0ba2a894657f291b45e3d9a0a9ecd6a93162141dda0b9e9bc6e04
SHA512

ae081214366ff325dcb45edb348fcbde72bfab18fd6cc38c649e0f9364e6d12d5dd6d5b05aca73b3e7d4a1f6803cb2663637a57807d614c41400009d3878214f

Score

10^/10

formbook xloader u9xn loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PAIEMENT1.exe

Resource

win7-en-20211104

xloader u9xn loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PAIEMENT1.exe

Resource

win10-en-20211104

formbook xloader u9xn loader persistence rat spyware stealer suricata trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u9xn

C2

http://www.crisisinterventionadvocates.com/u9xn/

Decoy

lifeguardingcoursenearme.com

bolsaspapelcdmx.com

parsleypkllqu.xyz

68134.online

shopthatlookboutique.com

canlibahisportal.com

oligopoly.city

srchwithus.online

151motors.com

17yue.info

auntmarysnj.com

hanansalman.com

heyunshangcheng.info

doorslamersplus.com

sfcn-dng.com

highvizpeople.com

seoexpertinbangladesh.com

christinegagnonjewellery.com

artifactorie.biz

mre3.net

webbyteanalysis.online

medicmir.store

shdxh.com

salvationshippingsecurity.com

michita.xyz

itskosi.com

aligncoachingconsulting.com

cryptorickclub.art

cyliamartisbackup.com

ttemola.com

mujeresenfarmalatam.com

mykombuchafactory.com

irasutoya-ryou.com

envtmyouliqy.mobi

expert-rse.com

oddanimalsink.com

piezoelectricenergy.com

itservices-india.com

wintwiin.com

umgaleloacademy.com

everythangbutwhite.com

ishhs.xyz

brandsofcannabis.com

sculptingstones.com

hilldetailingllc.com

stone-project.net

rbrituelbeaute.com

atzoom.store

pronogtiki.store

baybeg.com

b148tlrfee9evtvorgm5947.com

msjanej.com

western-overseas.info

sharpecommunications.com

atlantahomesforcarguys.com

neosudo.com

blulacedefense.com

profilecolombia.com

blacksaltspain.com

sejiw3.xyz

saint444.com

getoken.net

joycegsy.com

fezora.xyz

Targets

- Target
  
  PAIEMENT1.exe
- Size
  
  424KB
- MD5
  
  4a40bc732ce463e10ae463ee7b890242
- SHA1
  
  090fea71d8bc7abe48ea0d36d91a38ecf49f83d8
- SHA256
  
  1ac69ae85debbb73ec8b2bc1252374eb717b757b61819a012a8eedbac1148cd5
- SHA512
  
  d0efc801cb42571030a7e4381004eb1f1e3ee2c560726d1be48b8e17c23a5a5604a2e6e142b7354219957bd37cdb2e5eb5d1c1d5748018d88e5733594e4435df
Score

10^/10

xloader u9xn loader rat suricata formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderu9xnloaderratsuricata

behavioral2

formbookxloaderu9xnloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy