formbook | 6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114 | Triage

Submit
Reports

Overview

overview

Static

static

mpa.exe

windows7_x64

mpa.exe

windows10-2004_x64

Sharing

General

Target

mpa.exe
Size

260KB
Sample

220522-gasvysgbe4
MD5

44a6829e3ee6c5d98fccde99b502f7e2
SHA1

a64dce6694fc716860a52b367317efc095e46756
SHA256

6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114
SHA512

94a51cc57016387bc64107f4b159dd9bfb588fca597bbec9137e94ef832e2a1471a742bd20de3405f2c9cdf4b3b7436ac6889295ba424d678236232d148c26cd

Score

10^/10

formbook xloader be4o loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

mpa.exe

Resource

win7-20220414-en

formbook xloader be4o loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

mpa.exe

Resource

win10v2004-20220414-en

formbook xloader be4o loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

be4o

Decoy

laboratoriobioixcha.com

tictocperushop.online

wild-oceans.com

belaruscountry.com

kicktmall.com

fitcoinweb.tech

mores.one

gogear.one

gxrcksy.com

samrcq.com

impossible-icecream.com

bravesxx.com

bookchainart.com

sleepsolutionsofmboro.com

ocbrazilbusinessclub.com

advisor76.xyz

xitaotech.com

mgsdtytifgf3414.xyz

johnson-brown.net

cr3drt.com

virtualtourpro.store

transporteriocristal.com

fjbingjiang.com

minecraftrojectx.site

ttrcb.com

sexlarab.com

cxzczc2.online

doorsmm.com

weisbergiegal.com

skythinks.com

schoolsuperaty.com

swampbucketkids.com

networklogicsa.com

businessevs.com

gulfcoastclinicchiro.com

milliards.xyz

moviesquery.com

cycletostack.com

c0wkvo.com

inkingthings.net

cookvillecampgroundvt.com

rajeshprinters.com

binge-bane.biz

ginger9632-voice.cloud

1nfo-post.com

unta.xyz

liuhumu.com

khandaia.info

ha01qnscvts0l.xyz

liert.site

allflowmedia.com

6ibnuj9t.xyz

embravewise.com

responsabilities.com

apexges.com

ola-speechtherapy.com

pristinefarmlands.com

adaraateristiayote.store

journeyhomemeditation.com

96238.top

nosipokip.site

itt-service.com

bw590jumpb.xyz

relieveyourdog.com

qiyeweiiliaoo0428.com

Targets

- Target
  
  mpa.exe
- Size
  
  260KB
- MD5
  
  44a6829e3ee6c5d98fccde99b502f7e2
- SHA1
  
  a64dce6694fc716860a52b367317efc095e46756
- SHA256
  
  6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114
- SHA512
  
  94a51cc57016387bc64107f4b159dd9bfb588fca597bbec9137e94ef832e2a1471a742bd20de3405f2c9cdf4b3b7436ac6889295ba424d678236232d148c26cd
Score

10^/10

formbook xloader be4o loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderbe4oloaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloaderbe4oloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy