formbook | 91cf449506a9c3ade639027f6a38e99ee22d9cc7c2a1c4bc42fc8047185b8918 | Triage

Submit
Reports

Overview

overview

Static

static

TW0091.xlsx

windows7_x64

TW0091.xlsx

windows10-2004_x64

4

Sharing

General

Target

TW0091.xlsx
Size

187KB
Sample

220211-wmgqsaeegl
MD5

41521b74c54998dcd1460d444b07c5f1
SHA1

29dcf07f9964a0c2a36defa2935441f559fe7cd2
SHA256

91cf449506a9c3ade639027f6a38e99ee22d9cc7c2a1c4bc42fc8047185b8918
SHA512

8841ddad3690fb1c1436331b03ac26a356f0ff32ab5df923770da4af94785ee5d73cf0f68367cdb2bd3c31922f8be8726004e737753b11c9b32959f71155466d

Score

10^/10

formbook xloader b80i loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

TW0091.xlsx

Resource

win7-en-20211208

formbook xloader b80i loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

TW0091.xlsx

Resource

win10v2004-en-20220113

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b80i

Decoy

junkremovallawrencevillega.com

almihdar.com

libertymarket.net

daxvip.com

smartxbusinessnetwork.com

aanhanger-verhuur.com

nigerianspecialtyfoods.com

springeqx.com

jmwimpactrecovery.com

teamindus.net

cannabisconnecticut.net

50mpt.xyz

southstarfenceny.com

allisonwinterdesign.com

appsforbusiness.pro

rampi6.com

dusa.codes

firstclassrealtynj.com

curativecarnivore.com

verzeker.xyz

alternativeformicroplastic.com

tealdevelopment.com

topsystem-au.club

coinpredictz.com

kktmail.com

juhaot.com

gmatcafe.com

sz-jialejia.com

applesburyschool.com

trailpupoutfitters.com

workunvaxed.com

uncgclassof1971.com

drone-rullime.com

hsgmaster.com

buminvestments.com

dramacooldb.com

alanavieira.online

blacksoldierflyvietnam.net

aurorapartnersllc.com

hhhsccultum.quest

musicboxkaraoke.com

asean-bridges.com

fpyekklm.quest

nigarinyeri.com

cornwall-surf.com

internet-satellit.com

metaversebiometric.com

aeyeone.com

brulinparts.com

botega7.com

jackandmaddie.party

mandtautos.com

rcepbio.com

startup-doctor.com

slingplugrental.com

kadi.network

colombiahouseware.com

arteypromocion.net

nikosen.com

donerightcleaningnation.info

thrivingbravelife.com

sprinklekart.com

endesaunasolucionunica.com

chicagohockeyhawks.com

appleenclosure.com

Targets

- Target
  
  TW0091.xlsx
- Size
  
  187KB
- MD5
  
  41521b74c54998dcd1460d444b07c5f1
- SHA1
  
  29dcf07f9964a0c2a36defa2935441f559fe7cd2
- SHA256
  
  91cf449506a9c3ade639027f6a38e99ee22d9cc7c2a1c4bc42fc8047185b8918
- SHA512
  
  8841ddad3690fb1c1436331b03ac26a356f0ff32ab5df923770da4af94785ee5d73cf0f68367cdb2bd3c31922f8be8726004e737753b11c9b32959f71155466d
Score

10^/10

formbook xloader b80i loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderb80iloaderpersistenceratspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy