formbook

General

Target

SRL INJOUGH Oferty.xlsx
Size

183KB
Sample

220513-rwzwhabdfr
MD5

e2f9f7205237d66d1bf38afe6c640339
SHA1

8ca995164a3c4ef2e9bc5c95ee124872391deaa7
SHA256

48af10595cf68328465412bae7225b4c5da1f4394ddaa58735b15e062c502329
SHA512

ae47a6060cd11366865bc4f90c4203042f59f89dfbb57def54a1dcc5794f287233887b087802928672e76649525877f01587c85650274191730a935441cf9d1a

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

arh2

Decoy

hstorc.com

blackountry.com

dhrbakery.com

dezhouofit.com

defipayout.xyz

ginas4t.com

byzbh63.xyz

qrcrashview.com

mialibaby.com

enhaut.net

samainnova.com

yashveerresort.com

delfos.online

dungcumay.com

lj-counseling.net

fliptheswitch.pro

padogbitelawyer.com

aticarev.com

sederino.site

bestplansforpets-japan3.life

Targets

- Target
  
  SRL INJOUGH Oferty.xlsx
- Size
  
  183KB
- MD5
  
  e2f9f7205237d66d1bf38afe6c640339
- SHA1
  
  8ca995164a3c4ef2e9bc5c95ee124872391deaa7
- SHA256
  
  48af10595cf68328465412bae7225b4c5da1f4394ddaa58735b15e062c502329
- SHA512
  
  ae47a6060cd11366865bc4f90c4203042f59f89dfbb57def54a1dcc5794f287233887b087802928672e76649525877f01587c85650274191730a935441cf9d1a
Score

10^/10

xloader arh2 loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  decrypted
- Size
  
  177KB
- MD5
  
  ed6cfe2f33c53a2f00b89df64378d92d
- SHA1
  
  9887eb84bad60aeb24118f376ed20653b529ff01
- SHA256
  
  8bd763832d675d199f3e2b74daf55d3e575a6f1c40b9e51f00dfa2e7703d9d9d
- SHA512
  
  bb1182e7ba03becd8c2a6cfb911d1b9cf4dfe353320afd1053ed8094d5015cf1855480cb1f03c535920787dc250e880219f20b226f9ea2510e6e31a36277fec7
Score

10^/10

formbook xloader arh2 loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4