formbook | e745235386d1908e2bf40be43cf982932ce8b1604fe59ed2195aee341becb7c3 | Triage

Submit
Reports

Overview

overview

Static

static

1

payment ad...12.exe

windows7_x64

payment ad...12.exe

windows10_x64

Sharing

General

Target

payment advice_008900112.exe
Size

246KB
Sample

220127-p5sgnsdcg9
MD5

0783312f7caf72f1ac2a9951145bdda4
SHA1

c3da5594f78880bd4fc1d496efca357e6c19f65a
SHA256

e745235386d1908e2bf40be43cf982932ce8b1604fe59ed2195aee341becb7c3
SHA512

1270782a3aa83186265d8253781d0af5aa5769ccff033672c4f42d27f1be73e7cd2dbe9adbd448a3c09841285c54523fd682721724564794ce152ffbde38d0e1

Score

10^/10

formbook xloader cxep loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

payment advice_008900112.exe

Resource

win7-en-20211208

xloader cxep loader rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

payment advice_008900112.exe

Resource

win10-en-20211208

formbook xloader cxep loader persistence rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cxep

Decoy

estateglobal.info

loransstore.com

loginofy.com

fjallravenz.online

cefseguranca-app.com

safontadiestramiento.com

bubbleteapro.com

morethanmummies.com

serviciopersonalizadoweb.com

headerbidder.info

skworkforce.com

heightsorthodontics.com

chulavistapd.com

southjerseyautobody.net

chargedbygratitude.com

meltingpotspot.com

gdjiachen.com

luckdrawprogram.com

vintagepaseo.com

bequestslojyh.xyz

layeredrofbes.xyz

com-weekly.email

suddisaddu.com

jnlord.com

outerverse.ventures

terraroyale.com

hairclub.info

rent2owninusa.com

pmaonline.xyz

wearecampo.com

multiplezonesplit.com

angry-mandala.com

ikigaiofficial.store

princewoodwork.store

moviesaver24.com

btec-solutions.com

valurgrayenterprises.com

homesofsilverspur.com

leysy-y-nazareno.com

grade8.tech

ammarus.com

researchjournal.net

nicolaslacasse.com

khukhuantainha.com

resultlv.com

toraportal.com

wickedhunterworld.com

clickspromolp.com

b148tlrnd09ustnnaku2721.com

high-low-ga.info

norcalfirewoodllc.com

fatima2021.com

aaronsmathquest.com

decal-mania.com

spitfiredefenceindustries.com

mireyita.com

simonhaidomous.com

roofingcontractorhickory.com

mgav69.xyz

spacebymeghan.com

hot144.com

mmfirewood.net

akshayaasri.com

bilgisayarimnekadar.com

littlesportsacademy.com

Targets

- Target
  
  payment advice_008900112.exe
- Size
  
  246KB
- MD5
  
  0783312f7caf72f1ac2a9951145bdda4
- SHA1
  
  c3da5594f78880bd4fc1d496efca357e6c19f65a
- SHA256
  
  e745235386d1908e2bf40be43cf982932ce8b1604fe59ed2195aee341becb7c3
- SHA512
  
  1270782a3aa83186265d8253781d0af5aa5769ccff033672c4f42d27f1be73e7cd2dbe9adbd448a3c09841285c54523fd682721724564794ce152ffbde38d0e1
Score

10^/10

xloader cxep loader rat formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadercxeploaderrat

behavioral2

formbookxloadercxeploaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy