formbook | 3353fe4567105c292bdae27525448f7d7a5d0b174e097355ff04e75057dd63f3 | Triage

Submit
Reports

Overview

overview

Static

static

1

RECEIPT RE...62.exe

windows7_x64

RECEIPT RE...62.exe

windows10-2004_x64

Sharing

General

Target

RECEIPT REF NO 002627262.pif
Size

302KB
Sample

220223-rk1cwsbgcm
MD5

5d333987aafbd8bf8df57e9b9e56b4ac
SHA1

c7bc50b60c4b20e1bf40eed679def38e46c0fb13
SHA256

3353fe4567105c292bdae27525448f7d7a5d0b174e097355ff04e75057dd63f3
SHA512

38eccdd1bd52da95835c8305257aa0b548a7582d04a87f2c06e82365cf00fdd699cb6ecc46b40146a658b9f4efae562141d809ad7b05ddfebc5d694b6417e517

Score

10^/10

formbook xloader rmfg loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

RECEIPT REF NO 002627262.exe

Resource

win7-20220223-en

xloader rmfg loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

RECEIPT REF NO 002627262.exe

Resource

win10v2004-en-20220112

formbook xloader rmfg loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rmfg

Decoy

prospectcompounding.com

grand-prix.voyage

solvingpklogc.xyz

eliamhome.com

gamevip88.club

arsels.info

dswlt.com

dchehe.com

lawyerjerusalem.com

pbnseo.xyz

apuryifuid.com

kiukiupoker88.net

leannonimpact.com

kare-furniture.com

mississaugaremax.online

zpyh198.com

dueplay.store

naimi.ltd

greenstepspodiatry.com

cewirtanen.com

stonebyparamount.com

stellenbargains.com

meyerranch.realty

bitcoingrab.com

ifjejijfe.xyz

drjeannerot.com

trgau.com

thailandland.land

satupena.info

coinzillo.com

cloudreveller.digital

wilsoncreekarts.com

hyalucaps.com

dempius.com

onycostopsale.com

54jjpygl.xyz

quick2repair.net

tpyrj.com

cyndeiversondesigns.com

lmandarin.com

bornholm-urlaub.info

rodictibey.quest

saiione.com

flydakhla.com

surveycourses.com

bestnico.space

huvao.com

uptownholding.com

elitesellerstrafficnet.com

zitzies.xyz

supermercadolonuestro.com

laptoppricenepal.com

navyantra.com

myjms315.com

loanswithbrian.net

birbeygrup.xyz

trend-marketing.club

meipassion.com

amtha.com

witlyza.com

boardsandbeamsdecor.com

c2batwpnmu5uvtvnvfk5916.com

yavuzselimorganizasyon.com

4580055.xyz

brimstrategy.com

Targets

- Target
  
  RECEIPT REF NO 002627262.pif
- Size
  
  302KB
- MD5
  
  5d333987aafbd8bf8df57e9b9e56b4ac
- SHA1
  
  c7bc50b60c4b20e1bf40eed679def38e46c0fb13
- SHA256
  
  3353fe4567105c292bdae27525448f7d7a5d0b174e097355ff04e75057dd63f3
- SHA512
  
  38eccdd1bd52da95835c8305257aa0b548a7582d04a87f2c06e82365cf00fdd699cb6ecc46b40146a658b9f4efae562141d809ad7b05ddfebc5d694b6417e517
Score

10^/10

xloader rmfg loader rat suricata formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Suspicious use of NtCreateProcessExOtherParentProcess
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderrmfgloaderratsuricata

behavioral2

formbookxloaderrmfgloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy