formbook | cd4ee025ad3406b7e572952d42465eee19649cef6c0d3a6acbb0e972096988f4 | Triage

Submit
Reports

Overview

overview

Static

static

DELIVERY D...TS.exe

windows7_x64

DELIVERY D...TS.exe

windows10-2004_x64

Resubmissions

16-02-2022 14:43

220216-r31flsdagq 10

16-02-2022 14:37

220216-rzmeksdagk 10

16-02-2022 14:22

220216-rpkg8sdafl 10

Sharing

General

Target

DELIVERY DOCUMENTS.exe
Size

707KB
Sample

220216-rzmeksdagk
MD5

427ef5f4e1143ad34c33b26dc4681661
SHA1

673fb1a58e4707ad783d03ca97b3fbd8b4cad73a
SHA256

cd4ee025ad3406b7e572952d42465eee19649cef6c0d3a6acbb0e972096988f4
SHA512

b225afbb07853516f1b741e833e1a63026c0dc5adbb0c3fcfb48f8c6681bc770558499df3d3f5c17df45395dedc3624a1e8fa6498395ac20a82f44e27a61dfbb

Score

10^/10

formbook xloader zqzw loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

DELIVERY DOCUMENTS.exe

Resource

win7-en-20211208

formbook xloader zqzw loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

DELIVERY DOCUMENTS.exe

Resource

win10v2004-en-20220113

formbook xloader zqzw loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

zqzw

Decoy

laurentmathieu.com

nohohonndana.com

hhmc.info

shophallows.com

blazebunk.com

goodbridge.xyz

flakycloud.com

bakermckenziegroups.com

formation-adistance.com

lovingearthbotanicals.com

tbrservice.plus

heritagehousehotels.com

drwbuildersco.com

lacsghb.com

wain3x.com

dadreview.club

continiutycp.com

cockgirls.com

48mpt.xyz

033skz.xyz

gmconstructionlnc.com

ms-mint.com

aenrione.xyz

honxuan.com

snowmanvila.com

cig-online.com

valetvolley.com

bjsnft.com

bennystrom.com

flw.ink

clarissagrandiart.com

samfamstudio.com

pamschams.com

edgar-regale.com

combi-tech.tech

00xwq.online

eclipseconstrucciones.com

plick-click.com

dive.education

regenelis.com

blue-chipwordtoscan-today.info

xn--rsso51aevf65u.com

maonagrana.com

lucasdebatintrader.com

cassijohnson.com

roeten.online

into-concrete.xyz

motovip.store

floryfab.com

slkykq.com

vidyakala.com

stairwaystowealth.com

meganandbobbyprine.com

arestradings.com

emilyschlueter.com

platanin.com

hnhstudios.com

dmembutidos.com

dcassorealtor.com

megamobil.wien

001skz.xyz

5t45urfgurkhgbvkhbuh.com

a3hd.com

newmexicotruckwrecklawyers.com

trabaho-academy.net

Targets

- Target
  
  DELIVERY DOCUMENTS.exe
- Size
  
  707KB
- MD5
  
  427ef5f4e1143ad34c33b26dc4681661
- SHA1
  
  673fb1a58e4707ad783d03ca97b3fbd8b4cad73a
- SHA256
  
  cd4ee025ad3406b7e572952d42465eee19649cef6c0d3a6acbb0e972096988f4
- SHA512
  
  b225afbb07853516f1b741e833e1a63026c0dc5adbb0c3fcfb48f8c6681bc770558499df3d3f5c17df45395dedc3624a1e8fa6498395ac20a82f44e27a61dfbb
Score

10^/10

formbook xloader zqzw loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderzqzwloaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloaderzqzwloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy