formbook | 64ac85dbe848795a0595a96f00817c5616387c26243081cfe33002ce9d89c4a5 | Triage

Submit
Reports

Overview

overview

Static

static

1

9afa54ca6a...b1.exe

windows7_x64

9afa54ca6a...b1.exe

windows10-2004_x64

Sharing

General

Target

9afa54ca6adc21703eafa1444d025fb1
Size

317KB
Sample

220224-jpvdfadehp
MD5

9afa54ca6adc21703eafa1444d025fb1
SHA1

23fc1a8eafc5d8693973ffaffc223cefc1c6cc13
SHA256

64ac85dbe848795a0595a96f00817c5616387c26243081cfe33002ce9d89c4a5
SHA512

68397ef5b5eba8964b3ab440bc30bb29c26c06e63eb4154632386d6de355492e2499efc20b47b87e87b89bf31a116d5a1f6059864c99a3ac9080b295d355e65b

Score

10^/10

formbook xloader p2a5 loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

9afa54ca6adc21703eafa1444d025fb1.exe

Resource

win7-20220223-en

formbook xloader p2a5 loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

9afa54ca6adc21703eafa1444d025fb1.exe

Resource

win10v2004-en-20220112

xloader p2a5 loader rat suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p2a5

Decoy

gorillaslovebananas.com

zonaextasis.com

digitalpravin.online

memorialdoors.com

departmenteindhoven.com

vipulb.com

ruyibao365.com

ynpzz.com

matthewandjessica.com

winfrey2024.com

janetride.com

arairazur.xyz

alltheheads.com

amayawebdesigns.com

califunder.com

blacksource.xyz

farmasi.agency

ilmkibahar.com

thinkcentury.net

eskortclub.com

trc-clicks.com

negc-inc.com

knightfy.com

rentalsinkendall.com

semikron1688.com

755xy.xyz

primespot-shop.com

securetravel.group

luxehairbyjen.com

augpropertygroup.com

xinlishiqiaoqiao.xyz

naggingvmkqmn.online

pynch2.com

awarco.net

booyademy.com

244.house

574761.com

haoshanzhai.com

dubaiforlife.com

acidiccatlsd.com

amotekuntv.com

runfreeco.com

iamaka.net

599-63rdstreet.com

cakeshares.com

evengl.com

joinlever.com

cyberaised.online

genrage.com

walterjliveharder.com

northbayavs.com

spajoo.com

ypkp-com37qq.com

dautucamlam.com

installslostp.xyz

bisbenefits.solutions

espchange.com

exteches.com

utilitytrace.com

468max.com

835391.com

shoptomst.com

pingerton.online

avpxshnibd.mobi

cupboarddi.com

Targets

- Target
  
  9afa54ca6adc21703eafa1444d025fb1
- Size
  
  317KB
- MD5
  
  9afa54ca6adc21703eafa1444d025fb1
- SHA1
  
  23fc1a8eafc5d8693973ffaffc223cefc1c6cc13
- SHA256
  
  64ac85dbe848795a0595a96f00817c5616387c26243081cfe33002ce9d89c4a5
- SHA512
  
  68397ef5b5eba8964b3ab440bc30bb29c26c06e63eb4154632386d6de355492e2499efc20b47b87e87b89bf31a116d5a1f6059864c99a3ac9080b295d355e65b
Score

10^/10

formbook xloader p2a5 loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
  suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
  suricata
- Xloader Payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderp2a5loaderpersistenceratspywarestealersuricatatrojan

behavioral2

xloaderp2a5loaderratsuricata

© 2018-2024

Terms | Privacy