formbook | 907d822406f165aac9a4fbe4a61088b223b18925e19f0ee2ac00b26d119ebb78 | Triage

Submit
Reports

Overview

overview

Static

static

1

ORDER_EM.exe

windows7_x64

ORDER_EM.exe

windows10_x64

Sharing

General

Target

907d822406f165aac9a4fbe4a61088b223b18925e19f0ee2ac00b26d119ebb78
Size

1.2MB
Sample

220129-lzl6xsabf8
MD5

495e787a13ae84d43a1341f1fc320b1b
SHA1

f974a698b4213aa0aa68c46d617c97d78d08064f
SHA256

907d822406f165aac9a4fbe4a61088b223b18925e19f0ee2ac00b26d119ebb78
SHA512

6ecefa6d7ddebe7fa596856113f97388cdcaa86356f9e441b067465bb674e799827feda9684ff0d647574caffbf8acb397f615a92b33403c2e6fd294dc6fb3f3

Score

10^/10

formbook xloader uar3 loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

ORDER_EM.exe

Resource

win7-en-20211208

xloader uar3 loader rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ORDER_EM.exe

Resource

win10-en-20211208

formbook xloader uar3 loader persistence rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

kgv-lachswehr.com

salazarcomunicacion.com

robopython.com

corporateequity.online

complianceservicegroup.com

aperza-ex.com

webflowusa.com

asesoriasfinancieras.xyz

missolivesbranches.com

numiquest.com

criskconsultancy.com

gotemup.com

themaptalk.com

lakebalboahalf.com

cateringfrenchcroissant.com

paddocklakerealestate.com

lojaquerosurprezza.store

courtneywhitearmusic.com

geovannimaquinadevendas.online

pricklypairjazz.com

engagedigi.com

conduitforthespirit.com

anaheimaletrail.com

wholesalemall.store

alertsbecu.com

gestion-kayfra.com

youcanstores.com

qsuo.net

formadv.info

dihesia.xyz

carrreir.com

twenteeminuteswithtee.com

realliferenewal.com

officialprokodsukses.icu

stanfordgrouploscabos.com

maxicashpromir.xyz

zysqshjs.com

trc-clicks.com

chsclbd.com

amdproduce.net

republicoflies.com

beaux-parents.com

lucrativeapp.com

milbombas.com

alexanderplaywear.com

Targets

- Target
  
  ORDER_EM.PIF
- Size
  
  247KB
- MD5
  
  6965c35c75220ac5a5d4f3ab46cf4363
- SHA1
  
  e4691bf844e64f3f05dda96ab50f8875979f65d6
- SHA256
  
  fb45dfc26c736d67a8c409194b6f0e503a4519be42dfd1eaa7b7efb026d7c512
- SHA512
  
  638c27f985560c0f9e7021cffd44a5c586f1c4a73d86c655e157d9167a6703d26961c2f6508c6a9aa850868042483b6878e97d644b9f0c7dcbd88e08076057b4
Score

10^/10

xloader uar3 loader rat formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderuar3loaderrat

behavioral2

formbookxloaderuar3loaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy