formbook | ab928039cd56672d5b9a02322f1d91793cc6fcd3b42217c00cc682a0a42d1620 | Triage

Submit
Reports

Overview

overview

Static

static

1

triage_dro...le.exe

windows7_x64

triage_dro...le.exe

windows10-2004_x64

Resubmissions

28-02-2022 15:20

220228-sq37eaeee2 10

28-02-2022 15:15

220228-smwyxsfhdq 10

Sharing

General

Target

triage_dropped_file
Size

339KB
Sample

220228-sq37eaeee2
MD5

e2b38d12aac4c0d8cc5ff6588158ed62
SHA1

03ad689d9baee2a32943ae87f601fa624d2dc503
SHA256

ab928039cd56672d5b9a02322f1d91793cc6fcd3b42217c00cc682a0a42d1620
SHA512

ab105692c72406006e93a5b21fc612362e01477266af6bb4014cfb0f90d393b458a58c5139d2f59ca81f5ec5348077a2b1a2077f5fed486d87efdb872a9bdcae

Score

10^/10

formbook xloader p2a5 loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

triage_dropped_file.exe

Resource

win7-en-20211208

formbook xloader p2a5 loader persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

triage_dropped_file.exe

Resource

win10v2004-en-20220113

formbook xloader p2a5 loader persistence rat spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p2a5

Decoy

gorillaslovebananas.com

zonaextasis.com

digitalpravin.online

memorialdoors.com

departmenteindhoven.com

vipulb.com

ruyibao365.com

ynpzz.com

matthewandjessica.com

winfrey2024.com

janetride.com

arairazur.xyz

alltheheads.com

amayawebdesigns.com

califunder.com

blacksource.xyz

farmasi.agency

ilmkibahar.com

thinkcentury.net

eskortclub.com

trc-clicks.com

negc-inc.com

knightfy.com

rentalsinkendall.com

semikron1688.com

755xy.xyz

primespot-shop.com

securetravel.group

luxehairbyjen.com

augpropertygroup.com

xinlishiqiaoqiao.xyz

naggingvmkqmn.online

pynch2.com

awarco.net

booyademy.com

244.house

574761.com

haoshanzhai.com

dubaiforlife.com

acidiccatlsd.com

amotekuntv.com

runfreeco.com

iamaka.net

599-63rdstreet.com

cakeshares.com

evengl.com

joinlever.com

cyberaised.online

genrage.com

walterjliveharder.com

northbayavs.com

spajoo.com

ypkp-com37qq.com

dautucamlam.com

installslostp.xyz

bisbenefits.solutions

espchange.com

exteches.com

utilitytrace.com

468max.com

835391.com

shoptomst.com

pingerton.online

avpxshnibd.mobi

cupboarddi.com

Targets

- Target
  
  triage_dropped_file
- Size
  
  339KB
- MD5
  
  e2b38d12aac4c0d8cc5ff6588158ed62
- SHA1
  
  03ad689d9baee2a32943ae87f601fa624d2dc503
- SHA256
  
  ab928039cd56672d5b9a02322f1d91793cc6fcd3b42217c00cc682a0a42d1620
- SHA512
  
  ab105692c72406006e93a5b21fc612362e01477266af6bb4014cfb0f90d393b458a58c5139d2f59ca81f5ec5348077a2b1a2077f5fed486d87efdb872a9bdcae
Score

10^/10

formbook xloader p2a5 loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Suspicious use of NtCreateProcessExOtherParentProcess
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderp2a5loaderpersistenceratspywarestealertrojan

behavioral2

formbookxloaderp2a5loaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy