formbook | 2d150c3fca009a40d7c8e0641454412427d99664b985ba8c30614b9227a3c34f | Triage

Submit
Reports

Overview

overview

Static

static

1

aa9db27b20...7d.exe

windows7_x64

aa9db27b20...7d.exe

windows10-2004_x64

Sharing

General

Target

7343636119.zip
Size

258KB
Sample

220418-rwgd6afaa2
MD5

774e9d41f83e3cf9a598fe7f6cf49a9d
SHA1

3c3a6fa4e8dfa3befc3c410c032af7ae22f78392
SHA256

2d150c3fca009a40d7c8e0641454412427d99664b985ba8c30614b9227a3c34f
SHA512

35b02fe21df6899d122765cd5c9904c71558b4352d10bbe7773250b5be1fc0bb333e68e7ad43dc00b43b65239df78403ed7fa9f1960dc3ce639a322a2fa3d73e

Score

10^/10

formbook xloader p00n loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

aa9db27b2063f5aee9f97d7d86b883686f51bd030d0b38d6daaed3629a230a7d.exe

Resource

win7-20220414-en

xloader p00n loader rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

aa9db27b2063f5aee9f97d7d86b883686f51bd030d0b38d6daaed3629a230a7d.exe

Resource

win10v2004-20220414-en

formbook xloader p00n loader persistence rat spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p00n

Decoy

beaniemart.com

sugarlaces.online

kinesio-leman.com

gasfreenft.com

ateneaespai.com

askyourhr.com

recruitloft.com

carolinasbestroofingcompany.com

coacher.online

freshmind.today

help-it.online

nicelink17.com

islandtimeoperations.com

agricurve.net

rizkhr.com

innovatorsincommerce.com

grownwings.com

learningout.store

miaglam.com

tengfeijd8.com

cxhz.xyz

papayaflorida.com

bellanotteclub.online

nudeteenpornvideos.com

uowmnsds.icu

neighbourjoy-5.xyz

parkingparcel.com

yfly627.xyz

dooms.one

crushedvmkdla.online

24video-net.com

general-technologies.net

leadgenteambyec4.online

adorango.com

harborfundingconsultants.com

genetest.store

mapa-beograda.net

ppeglovesmasks.com

gleadss.com

mqzkk.com

siterrenos.com

letsmakeyourchoice.com

doseofyouth.com

shoppersgate.online

cdrb028.com

lojamariaml.com

customcabinetshoppaysonut.com

pow4u.com

einfach-mario.com

brasbux.com

indoor-lamps.com

ribblevalleyfairs.com

limonsite.com

cinreyyy.com

mobileinternetpackages.com

cazaclean.com

awaytraveltnpasumo6.xyz

roboskullks.com

sudnettrapline.com

360metaverse.tech

iphone13promax.repair

ichaogupiao.com

kathyrowe.com

it-brainpool.com

greensunergy.com

Targets

- Target
  
  aa9db27b2063f5aee9f97d7d86b883686f51bd030d0b38d6daaed3629a230a7d
- Size
  
  271KB
- MD5
  
  f9a20cce97d6efd9e8d071420a8858b7
- SHA1
  
  17680094e9bdefe2f5205729f2b55be2ffca81fa
- SHA256
  
  aa9db27b2063f5aee9f97d7d86b883686f51bd030d0b38d6daaed3629a230a7d
- SHA512
  
  fb9055d9f19788e0c2d25f3f400165b630ef6f62604d6ee6a764c7a57f5f115737db4187be30641bca16af11d84d3afdde73b0790f5d43f682e10439ed7a1026
Score

10^/10

xloader p00n loader rat formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderp00nloaderrat

behavioral2

formbookxloaderp00nloaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy