formbook | 3904214c69427ca44fbe3dd2b567493d006578d13b50a22367dbbf547d7f714c | Triage

Submit
Reports

Overview

overview

Static

static

PO0932083943974.exe

windows7_x64

PO0932083943974.exe

windows10-2004_x64

Sharing

General

Target

3904214c69427ca44fbe3dd2b567493d006578d13b50a22367dbbf547d7f714c
Size

205KB
Sample

220521-az5sgseafj
MD5

69ca5593a7f846a565a6d23a5013d883
SHA1

8a3e486b679d3df59a8b6064e674eb8ba511f9b9
SHA256

3904214c69427ca44fbe3dd2b567493d006578d13b50a22367dbbf547d7f714c
SHA512

f283633fb8414fbb54b601392acdcec7cddd786e36e493c5e8d288d4de50bac631bafcb455f9a5d34393a84313b628e2a9c7182e34c2d175092aa4401f44d1e9

Score

10^/10

formbook xloader b6fg loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO0932083943974.exe

Resource

win7-20220414-en

formbook xloader b6fg loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO0932083943974.exe

Resource

win10v2004-20220414-en

formbook xloader b6fg loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.0

Campaign

b6fg

Decoy

multlockmt5.com

mohajrannoor.com

robynhoodofretail.info

belinv.com

hotellasab.com

kibrismosad.com

xn--fxwm39aeb590h.xn--io0a7i

resetbrasil.com

tcsonhvac.com

theresav.net

bohoqi.info

machinafuturae.com

mambavault.com

xn--980am9a.top

yumiang.com

evntmonitor.com

83003kk.com

triterm.com

8800pe.com

silvanstudio.com

taragon-entertainment.com

ahly-live.com

ucpprint.com

betscrum.com

homehit.house

taab3.net

martiswatches.com

cartel-sinaloa.com

flyfuncenter.com

lezhen.top

aiotstairlift.com

selfless-entrepreneur.com

easttaiwansurftrip.com

descubriendonoruega.com

wicoru.com

tacmktg.com

callisterlawgroup.com

khogiaychinhhang.com

hobianak.com

pole-entrepreneur.net

callumjcummings.com

sgknox.com

xn--zuneauspolen-gcb.com

wwwjinsha622.com

everyoneschocolate.com

medlplayground.com

honeynray.com

whackajudge.com

alwarren.com

venglishhouse.com

quantumpearlpoc.com

movie4in.com

vytalhealthcare.com

sportsempires.com

xinhby.com

296djw.info

biblebeater.com

e-jie360.com

lemarcoambar.com

thekoulenresidence.com

iejel.com

sha256.equipment

j12mfg019y.com

clearlyconversing.com

magentos.info

Targets

- Target
  
  PO0932083943974.exe
- Size
  
  351KB
- MD5
  
  1e8d5e2871ef3da902db085c1b5c9e4f
- SHA1
  
  a3e42499d53bcf961dfbaceca2c3fb5fc4d54364
- SHA256
  
  dee1fa115a3e06310b958baca7bf709144f770de027ab3c615f6937b7544cd75
- SHA512
  
  bbba879de92397a2141aaa4e780a99e1434e171d31dd2698e97363518b140635c20adb98718073f7d2b12935a14bde61b70ff7d5d528058c4a50794b865f2446
Score

10^/10

formbook xloader b6fg loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderb6fgloaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloaderb6fgloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy