formbook

General

Target

8198859f6abcd854b1ab48c4081c4a4246e439c21d5e5b6d8975f382c9056002
Size

427KB
Sample

220521-c4ywvafab2
MD5

93b823b2d6a401101b8dffcaed401d4b
SHA1

2a85892ea96418d19233255145273635ca08794a
SHA256

8198859f6abcd854b1ab48c4081c4a4246e439c21d5e5b6d8975f382c9056002
SHA512

7dcdcd0039e72ded5d6a33a8bae2da6e9dc7735ec05ef6c1c4b78081da22096cb8979ecc52f7001434525cb4d07a55efbe4e9b72612f6234e216e73124944d49

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

cvd

Decoy

wanda-dutyfree.net

m399999.com

adultoutopico.com

acappellawebradio.com

geetaisprings.com

californiacredit.repair

view-merchant.review

autoritecenter.com

lke7992.com

carroceriasalchichica.com

shanhaishidai.com

wuyounice.com

ahyingshi.com

eurocrypt.net

zvxhs.info

nxsexyvip.com

suffolkbuildingcontrol.com

sotruemobiledetailing.com

bizsolmx.com

personalidea.net

Targets

- Target
  
  Quote #121079_Price & Availability.exe
- Size
  
  628KB
- MD5
  
  5d061432063b989574425c27e749a0b1
- SHA1
  
  9770da0f429eaeae0834d73c563c316db62525ec
- SHA256
  
  d4224f6f5b734de53a5a7e5f5675b05f9a808deb058e64d00859146f8255594c
- SHA512
  
  5ac185a6d31beea556fa8695bd0952e45c9986d12b1e0faa102e3a91a6ef455326c1435907b882b25c411451094b193398eb154b0a10336d38b75972719699b3
Score

10^/10

formbook xloader cvd loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Xloader Payload

Adds policy Run key to start application

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2