formbook | 8b74ea45562754413df652ff7754a4c4ac90782f298a1d4066c9801d799a1138 | Triage

Submit
Reports

Overview

overview

Static

static

1

DOC40218.exe

windows7_x64

7

DOC40218.exe

windows10-2004_x64

Sharing

General

Target

8b74ea45562754413df652ff7754a4c4ac90782f298a1d4066c9801d799a1138
Size

1.2MB
Sample

220205-g14edahafr
MD5

de27b85bfa13e39026b81344b1e4dfb7
SHA1

7cfd963249cef91259f666b461c12fe4e6faab34
SHA256

8b74ea45562754413df652ff7754a4c4ac90782f298a1d4066c9801d799a1138
SHA512

2f79ca82193a52b7c5967738419e2f56d9b036a1a268fadd2f419c0e9e09b223771a8c1b47d601a5d58d7e18e8002a9ea7d772ddd28e36b0ed8751e186a7b729

Score

10^/10

formbook xloader ahc8 loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

DOC40218.exe

Resource

win7-en-20211208

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

DOC40218.exe

Resource

win10v2004-en-20220112

formbook xloader ahc8 loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

civicinfluencers.net

gzhf8888.com

kuleallstar.com

palisadeslodgecondos.com

holyhirschsprungs.com

azalearoseuk.com

jaggllc.com

italianrofrow.xyz

ioewur.xyz

3a5hlv.icu

kitcycle.com

estate.xyz

ankaraescortvip.xyz

richclubsite2001.xyz

kastore.website

515pleasantvalleyway.com

sittlermd.com

mytemple.group

tiny-wagen.com

sharaleesvintageflames.com

mentalesteem.com

sport-newss.online

fbve.space

lovingtruebloodindallas.com

eaglehospitality.biz

roofrepairnow.info

mcrosfts-updata.digital

cimpactinc.com

greatnotleyeast.com

lovely-tics.com

douglas-enterprise.com

dayannalima.online

ksodl.com

rainbowlampro.com

theinteriorsfurniture.com

eidmueller.email

cg020.online

gta6fuzhu.com

cinemaocity.com

hopeitivity.com

savageequipment.biz

groceriesbazaar.com

hempgotas.com

casino-pharaon-play.xyz

ralfrassendnk-login.com

Targets

- Target
  
  DOC40218.EXE
- Size
  
  409KB
- MD5
  
  f0d6685e51ab75d3585212478055cb22
- SHA1
  
  11cc87018e7dd4620e7b824012f40cac0a1f367d
- SHA256
  
  caaa240601d0e42acb112b2c61f1f71cb12348f77259c8c98cece75735dfc1e0
- SHA512
  
  3b19cae94fd6baa2c18069b01e3386db1f13ab848fcce0f9673b246b5f5fb5bad414c27b835bf6f478937fc8afa23d77b7beea4f299badb9434f585792b168a5
Score

10^/10

formbook xloader ahc8 loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

formbookxloaderahc8loaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy