formbook

General

Target

payment advice_29011021.exe
Size

292KB
Sample

211129-q2zl9afbf8
MD5

9fd9757825549183fb53a8a7cbd0a11b
SHA1

3d24fae431c8c37b50fc0c8f6ca95af1ae19ce9e
SHA256

237b6ac1943742314565dfdcc34a5c17f475462ae4399a9a9765bbbd6c679c99
SHA512

b0c762e6393b883925368b520087618082e8e8cdb0885b888a5a787ce5525bd89e7b8799486013cceb84460e3bd793d4a4e415288334fdf62a8b52397aef7222

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

e8ia

C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

Targets

- Target
  
  payment advice_29011021.exe
- Size
  
  292KB
- MD5
  
  9fd9757825549183fb53a8a7cbd0a11b
- SHA1
  
  3d24fae431c8c37b50fc0c8f6ca95af1ae19ce9e
- SHA256
  
  237b6ac1943742314565dfdcc34a5c17f475462ae4399a9a9765bbbd6c679c99
- SHA512
  
  b0c762e6393b883925368b520087618082e8e8cdb0885b888a5a787ce5525bd89e7b8799486013cceb84460e3bd793d4a4e415288334fdf62a8b52397aef7222
Score

10^/10

formbook xloader e8ia loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

Xloader Payload

Adds policy Run key to start application

Blocklisted process makes network request

Executes dropped EXE

Deletes itself

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2