formbook | a686e5ac28756f1aca5bff5030a1e34f6e31cf0fcec96763b92c20b4e20c7700 | Triage

Submit
Reports

Overview

overview

Static

static

Quotation ...nt.exe

windows7_x64

Quotation ...nt.exe

windows10_x64

Sharing

General

Target

Quotation - Urgent.zip
Size

675KB
Sample

211117-fhrr7ahch2
MD5

0576ae4cf9f00aa8eea327a5af159fb0
SHA1

ab3562b2665b1b13c65333b49b07a0d92a9bc65d
SHA256

a686e5ac28756f1aca5bff5030a1e34f6e31cf0fcec96763b92c20b4e20c7700
SHA512

917675f0efa0d60cdca9c570996e8e6eb069a7eca49b3094468c9010c1d967f9b8829b115aa8b65b912a156e88dbfa1401ebc340787b3c296fde7898659272a5

Score

10^/10

formbook xloader ea0r loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Quotation - Urgent.exe

Resource

win7-en-20211104

formbook xloader ea0r loader persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Quotation - Urgent.exe

Resource

win10-en-20211014

formbook xloader ea0r loader persistence rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

metalumber.com

sclvfu.com

macanostore.online

projecturs.com

ahcprp.com

gztyfnrj.com

lospacenos.com

tak-etranger.com

dingermail.com

skiin.club

ystops.com

tnboxes.com

ccafgz.com

info1337.xyz

platinum24.top

hothess.com

novelfinancewhite.xyz

theselectdifference.com

flufca.com

giftcodefreefirevns.com

kgv-lachswehr.com

report-alfarabilabs.com

skeetones.com

4bcinc.com

americamr.com

wewonacademy.com

evrazavto.store

true-fanbox.com

greencofiji.com

threecommaspartners.com

hgtradingcoltd.com

xihe1919.com

241mk.com

helplockedout.com

wefundprojects.com

neosecure.store

purenewsworldwide.com

luckylottovip999.com

lottidobler.com

proyectohaciendohistoria.com

raintm.com

theproducerformula.com

trademarkitforyourself.com

ottaweed.com

Targets

- Target
  
  Quotation - Urgent.exe
- Size
  
  847KB
- MD5
  
  ba72b878c2663e3f76de3d4ed7dfc8d2
- SHA1
  
  e5a908d5a4ffeb873f176346c60663d575c8007f
- SHA256
  
  ffba1e049d0da0a9f880a0f7e0b84a17699362ad87a1198cec937250c66587fd
- SHA512
  
  9536239139c2f082767c4c03317a62aaf34e1f5a0a721063885919bb9e526ac3cbe13e1b5c56b6aab8722d3ad597b35f340636988565e8503c18092c58750471
Score

10^/10

formbook xloader ea0r loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Executes dropped EXE
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderea0rloaderpersistenceratspywarestealertrojan

behavioral2

formbookxloaderea0rloaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy