formbook | ea4ff2f24588108641954f72800aabab7348ccc64d86f8293dd23cfc45f5faa1 | Triage

Submit
Reports

Overview

overview

Static

static

vbc.exe

windows7_x64

vbc.exe

windows10-2004_x64

Sharing

General

Target

vbc.exe
Size

1.2MB
Sample

220519-rq2sxabcgk
MD5

77cd3eac0feb00d232d794c3880b9e91
SHA1

e258c7782240346e9a3e9897bd1629bbd40dbd15
SHA256

ea4ff2f24588108641954f72800aabab7348ccc64d86f8293dd23cfc45f5faa1
SHA512

16162f31e50f6f4025f0e0996338e6fb29c3cb20754da8835637a0e9b7c8bd432e8c4ded9febd97cabd4830c5c3940e6ad9b56afcd73c9d447a3d62d92951911

Score

10^/10

formbook xloader ud5f coreentity loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

vbc.exe

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

vbc.exe

Resource

win10v2004-20220414-en

formbook xloader ud5f coreentity loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

ud5f

Decoy

makcoll.com

mitrachocloud.com

finikilspase.site

vertriebmitherz.gmbh

terapiasdelsinuips.com

schoolmink.online

slotgacor588.xyz

zkf-lawyer.com

daskocleaning.com

baoxin-design.com

hollywoodcuts.net

animefnix.com

trinityhomesolutionsok.com

cfrhsw.xyz

articrowd.com

jlivingfurniture.com

marmolsystem.com

nudehack.com

beam-birds.com

cravensoft.com

bjyunjian.com

naturelleclub.com

reece-family.net

morarmail.com

morgantownpet.supply

recordanalytics.com

factheat.online

mcgillinvestigation.com

tinyhouse.contact

gpbrasilia.com

jacobsclub.com

theboemia.net

balifoodfun.com

alfonshotel.com

spaceokara.com

paraphras.com

ruibaituobj.com

rwbbrwe1.com

turkishrepublik.com

costumeshop.xyz

minatexacess.com

hathor-network.net

02d1qp.xyz

dadagrin.com

lfsijin.com

bupabii.site

mydiga-angststoerung.com

hayatseventeknoloji.com

adv-cleaner.site

ndsnus.com

rebeccabarclaylpc.com

eswpu.com

babbleboat.com

zvmsovsg.com

quantumlab5.com

venerems.com

sh09.fyi

maxpilesclinic.com

luigilucioni.com

yuttie.store

tripnii.com

topings33.com

madetopraisehim.com

tesladoge.info

freerenoadvice.com

Targets

- Target
  
  vbc.exe
- Size
  
  1.2MB
- MD5
  
  77cd3eac0feb00d232d794c3880b9e91
- SHA1
  
  e258c7782240346e9a3e9897bd1629bbd40dbd15
- SHA256
  
  ea4ff2f24588108641954f72800aabab7348ccc64d86f8293dd23cfc45f5faa1
- SHA512
  
  16162f31e50f6f4025f0e0996338e6fb29c3cb20754da8835637a0e9b7c8bd432e8c4ded9febd97cabd4830c5c3940e6ad9b56afcd73c9d447a3d62d92951911
Score

10^/10

coreentity formbook xloader ud5f loader persistence rat spyware stealer suricata trojan
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

formbookxloaderud5fcoreentityloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy