formbook | 151572bec6e274bad481a8c0736a4888931c086f3fdf890be9811eae7c0c0c36 | Triage

Submit
Reports

Overview

overview

Static

static

PO#101581.exe

windows7_x64

PO#101581.exe

windows10-2004_x64

Sharing

General

Target

PO#101581.exe
Size

869KB
Sample

220521-lz2xdabfc6
MD5

95f35b3fb58633c97069fe1bc12f39f5
SHA1

e1ee2cf79953cc0f472c9b3af9fcc389a5bc492d
SHA256

151572bec6e274bad481a8c0736a4888931c086f3fdf890be9811eae7c0c0c36
SHA512

358656d5e219d138a56e25f54b890a98062b5539db4da25685e659276ecfafa68c00ffa83383dac8d35cfe6270eec87da8b306a61a125128869e61ffb934d050

Score

10^/10

formbook xloader ssmm loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO#101581.exe

Resource

win7-20220414-en

formbook xloader ssmm loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO#101581.exe

Resource

win10v2004-20220414-en

formbook xloader ssmm loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

ssmm

Decoy

bhealthybu.com

formasyonlar.com

huddleadvising.com

iroofer.net

pokerisparadise.com

partnrsocial.com

omnixinity.com

sandibet.biz

xxxpool.xyz

mainsuranceagency.com

filipkaarrtofffers.online

txgongsi.com

bonasuplementos.com

sxp89app.space

grandeurjewelryph.com

productsorcerer.com

mrussellhandyman.com

igorstelea.com

cateraevents.com

yashaswistudio.com

stuy.top

canadianpharmacyonlinesrvh.com

sellmorecrm.com

chinadoorexpo.com

southlandfiltration-au.com

bca-landing.com

pinetreemusicclass.com

sandboxes.biz

executiveparkfly.com

ourfutures.biz

cqxcfn.com

gruberhome.com

wildbluewonder.net

6675fh.taxi

krnl.xyz

gilmaria.com

riku.agency

smonique.com

lrlbgruchi.quest

chwrell.com

triumcyber.com

bigtimetickets.com

arthashasthra.com

abs-traders.com

brownhorsecoffee.com

iaintgotish.com

lanhodiep247.com

caitlinmemorial.com

thefatreview.com

upchurchconcertmerch.com

prestaservices34.com

longnanjrq.com

mechaotherside.land

gennieclean.com

xzgtgg.com

furunhasan.xyz

timmarriottinsurance.com

its-my-pleasure.com

xviseos.red

combatiq.info

moncelebrantdemariage.com

yukselercanmedyagrup.online

zillionsband.com

radicalmalls.com

g2r5v2pp.xyz

Targets

- Target
  
  PO#101581.exe
- Size
  
  869KB
- MD5
  
  95f35b3fb58633c97069fe1bc12f39f5
- SHA1
  
  e1ee2cf79953cc0f472c9b3af9fcc389a5bc492d
- SHA256
  
  151572bec6e274bad481a8c0736a4888931c086f3fdf890be9811eae7c0c0c36
- SHA512
  
  358656d5e219d138a56e25f54b890a98062b5539db4da25685e659276ecfafa68c00ffa83383dac8d35cfe6270eec87da8b306a61a125128869e61ffb934d050
Score

10^/10

formbook xloader ssmm loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderssmmloaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloaderssmmloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy