formbook | 56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db | Triage

Submit
Reports

Overview

overview

Static

static

1

DEC SOA_09012022.exe

windows7_x64

DEC SOA_09012022.exe

windows10_x64

Sharing

General

Target

DEC SOA_09012022.exe
Size

373KB
Sample

220110-pf2daaeeek
MD5

6046b2f34b67e06c817f4375c6d26a54
SHA1

2230944a4216a07fde067866af7e81e1a52e8535
SHA256

56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db
SHA512

542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac

Score

10^/10

formbook xloader igwa loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

DEC SOA_09012022.exe

Resource

win7-en-20211208

xloader igwa loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

DEC SOA_09012022.exe

Resource

win10-en-20211208

formbook xloader igwa loader persistence rat spyware stealer suricata trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

igwa

Decoy

listingswithalex.com

funtabse.com

aydenwalling.com

prochal.net

superfoodsnederland.com

moldluck.com

dianekgordon.store

regionalhomescommercial.com

mysecuritymadesimple.com

malwaremastery.com

kodaikeiko.com

jrzg996.com

agricurve.net

songlingjiu.com

virginianundahfishingclub.com

friendschance.com

pastelpresents.com

answertitles.com

survival-hunter.com

nxfddl.com

traditionnevertrend.com

agrovessel.com

unicorm.digital

cucumboy.com

alemdogarimpo.com

laraful.com

hexwaa.com

hanu21st.com

knoycia.com

qishengxing.com

gopipurespices.com

fdkkrfidkdslsieofkld.info

elephantspublications.online

valeriebeijing.com

xn--42cg2czax6ptae6a.com

2shengman.com

sfcshavedice.com

ragworkhouse.com

stardomfrokch.xyz

exoticcenterfold.com

eventosartifice.com

test-order-noren.com

110bao.com

face-pro.online

freedomoff.com

futuresep.com

tremblock.com

chocolat-gillotte.com

speclove.com

ddflsl.com

goodnewsmbc.net

cloudtotaal.com

goapps-auth.com

ouch247max.com

sabra-sd.com

luxuryneverhurt.art

rxvendorpills.online

ludowinners.online

placemyorder.online

skyrim.company

monsterlecturer.com

controle-fiscal.com

phoenixinjurylawyer.online

nanoheadgames.com

toposales.com

Targets

- Target
  
  DEC SOA_09012022.exe
- Size
  
  373KB
- MD5
  
  6046b2f34b67e06c817f4375c6d26a54
- SHA1
  
  2230944a4216a07fde067866af7e81e1a52e8535
- SHA256
  
  56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db
- SHA512
  
  542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac
Score

10^/10

xloader igwa loader rat suricata formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderigwaloaderratsuricata

behavioral2

formbookxloaderigwaloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy