formbook | fe55fb664c32bacbd76bf8859a8a2cd17f23d21f08a22ac9881cb0fa33935990 | Triage

Sharing

General

Target

fe55fb664c32bacbd76bf8859a8a2cd17f23d21f08a22ac9881cb0fa33935990
Size

260KB
Sample

220519-rdy69agca8
MD5

27fe38ce70fca4c4526c07a42449f11e
SHA1

cd9243f1b525d08290f1bb2c428235a40e0a423e
SHA256

fe55fb664c32bacbd76bf8859a8a2cd17f23d21f08a22ac9881cb0fa33935990
SHA512

d68a45d7c19e2a13da3e68b17823578e4e0cd17e949931b90d1fb211ffee3d46f90acf28e1b93b76435c6f8c5da4050150e993c8e7d6a4d5af5114702d155d80

Score

10^/10

formbook xloader be4o loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

be4o

Decoy

laboratoriobioixcha.com

tictocperushop.online

wild-oceans.com

belaruscountry.com

kicktmall.com

fitcoinweb.tech

mores.one

gogear.one

gxrcksy.com

samrcq.com

impossible-icecream.com

bravesxx.com

bookchainart.com

sleepsolutionsofmboro.com

ocbrazilbusinessclub.com

advisor76.xyz

xitaotech.com

mgsdtytifgf3414.xyz

johnson-brown.net

cr3drt.com

Targets

- Target
  
  fe55fb664c32bacbd76bf8859a8a2cd17f23d21f08a22ac9881cb0fa33935990
- Size
  
  260KB
- MD5
  
  27fe38ce70fca4c4526c07a42449f11e
- SHA1
  
  cd9243f1b525d08290f1bb2c428235a40e0a423e
- SHA256
  
  fe55fb664c32bacbd76bf8859a8a2cd17f23d21f08a22ac9881cb0fa33935990
- SHA512
  
  d68a45d7c19e2a13da3e68b17823578e4e0cd17e949931b90d1fb211ffee3d46f90acf28e1b93b76435c6f8c5da4050150e993c8e7d6a4d5af5114702d155d80
Score

10^/10

formbook xloader be4o loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderbe4oloaderpersistenceratspywarestealersuricatatrojan