formbook | 16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c | Triage

Submit
Reports

Overview

overview

Static

static

1

bunker inq...21.exe

windows7_x64

bunker inq...21.exe

windows10-2004_x64

Sharing

General

Target

bunker inquiry_020100121.exe
Size

272KB
Sample

220117-d6gk1sghcl
MD5

d700d80487e10f8b9ea5fb50b9e9109c
SHA1

9177a19d76b09d4cde071a07ffb626c9bd4e3652
SHA256

16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c
SHA512

e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40

Score

10^/10

formbook xloader igwa loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

bunker inquiry_020100121.exe

Resource

win7-en-20211208

xloader igwa loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

bunker inquiry_020100121.exe

Resource

win10v2004-en-20220112

formbook xloader igwa loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

igwa

Decoy

listingswithalex.com

funtabse.com

aydenwalling.com

prochal.net

superfoodsnederland.com

moldluck.com

dianekgordon.store

regionalhomescommercial.com

mysecuritymadesimple.com

malwaremastery.com

kodaikeiko.com

jrzg996.com

agricurve.net

songlingjiu.com

virginianundahfishingclub.com

friendschance.com

pastelpresents.com

answertitles.com

survival-hunter.com

nxfddl.com

traditionnevertrend.com

agrovessel.com

unicorm.digital

cucumboy.com

alemdogarimpo.com

laraful.com

hexwaa.com

hanu21st.com

knoycia.com

qishengxing.com

gopipurespices.com

fdkkrfidkdslsieofkld.info

elephantspublications.online

valeriebeijing.com

xn--42cg2czax6ptae6a.com

2shengman.com

sfcshavedice.com

ragworkhouse.com

stardomfrokch.xyz

exoticcenterfold.com

eventosartifice.com

test-order-noren.com

110bao.com

face-pro.online

freedomoff.com

futuresep.com

tremblock.com

chocolat-gillotte.com

speclove.com

ddflsl.com

goodnewsmbc.net

cloudtotaal.com

goapps-auth.com

ouch247max.com

sabra-sd.com

luxuryneverhurt.art

rxvendorpills.online

ludowinners.online

placemyorder.online

skyrim.company

monsterlecturer.com

controle-fiscal.com

phoenixinjurylawyer.online

nanoheadgames.com

toposales.com

Targets

- Target
  
  bunker inquiry_020100121.exe
- Size
  
  272KB
- MD5
  
  d700d80487e10f8b9ea5fb50b9e9109c
- SHA1
  
  9177a19d76b09d4cde071a07ffb626c9bd4e3652
- SHA256
  
  16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c
- SHA512
  
  e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40
Score

10^/10

xloader igwa loader rat suricata formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderigwaloaderratsuricata

behavioral2

formbookxloaderigwaloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy