formbook

General

Target

e50a6adc3a4af45a5cfac4a213be964aa7ed0db5eb8b13ed7c4fc99e160cbc67
Size

252KB
Sample

220414-rkjedafda8
MD5

36733a707992f4e84c54691d69302a6e
SHA1

b6b4d5ae64717dea9492000e317fc370fa37b0fc
SHA256

e50a6adc3a4af45a5cfac4a213be964aa7ed0db5eb8b13ed7c4fc99e160cbc67
SHA512

e4a7f86fdbef37b09a6609fdbae47340489e81813b39b0717adee5424ee84a2e419db87b0b62ece43cd99744db89f903bb1285d88d204655beccd4502db0f1f7

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.0

Campaign

b6fg

Decoy

multlockmt5.com

mohajrannoor.com

robynhoodofretail.info

belinv.com

hotellasab.com

kibrismosad.com

xn--fxwm39aeb590h.xn--io0a7i

resetbrasil.com

tcsonhvac.com

theresav.net

bohoqi.info

machinafuturae.com

mambavault.com

xn--980am9a.top

yumiang.com

evntmonitor.com

83003kk.com

triterm.com

8800pe.com

silvanstudio.com

Targets

- Target
  
  PO930832084.exe
- Size
  
  341KB
- MD5
  
  370cdd4fca95e154659920f86124091b
- SHA1
  
  70fc058fe1dda4ed6b00da429e3849d11d1127f8
- SHA256
  
  00668e0dac77414a7a5fc8df4867e3a75fc928cdd97b57c068edb11522fecf97
- SHA512
  
  7d23b4ab99551a5b57d93d77953b9fa7702916c0cd6bbef263526d165a5dcd7825f17fba74797027ad456b3a7a3d35b1c066861fea583420389f984aadb831df
Score

10^/10

formbook xloader b6fg loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

Xloader Payload

Adds policy Run key to start application

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2