formbook

General

Target

0be2b3666584ba80d0c8ae2606b95be719dc38fbb04a6059cc34529825996d53
Size

251KB
Sample

220521-pzct2agcb9
MD5

cdcb31f9b23b96c5b90a0d34a73b2781
SHA1

5c949be4f712dd59864872b198bb5ae823c2ca8b
SHA256

0be2b3666584ba80d0c8ae2606b95be719dc38fbb04a6059cc34529825996d53
SHA512

e5f54ed1710b32b9d9b7f0ca4da630df186b4292198114c6cb2ae8c4b2aa214a49b8d92b92cb7876a8b5e673b0d382af645136343756ccd572c7bf320d9c344e

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.0

Campaign

war0

Decoy

siompany.net

55667879.com

smallmouth.net

fordforlano.net

placadesilicon.com

btw-butler.com

almbeauty.com

jbthomson.com

presidentialtennessee.com

chiropractorinnorthport.com

yourber.com

get-luxurycruise.rocks

strakellc.com

eukncg.info

pablovergara.info

sologoods.com

toledovista.com

weightlosscoffees.com

echoawyer.com

csproductionsmedia.com

Targets

- Target
  
  Scan_order9215060196.exe
- Size
  
  327KB
- MD5
  
  3902d05dd23263e123e94136dbde2f38
- SHA1
  
  a106c76ed170064b60a541a4533b2610e7e652df
- SHA256
  
  896745863d78a02b1cf02565dbeb3bca4bfd156a1079d28c07ddfb2d8b9fc665
- SHA512
  
  1900a2b722bc099bf4733c412db310916a4258b6482d6676a47332983c299d03a89e04f8614f49be3bd43ee464aef7d3ac66f6c5bf378601b7f77e06c969c881
Score

10^/10

formbook xloader war0 loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Xloader Payload

Adds policy Run key to start application

Executes dropped EXE

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2