formbook | 354e6dcfaea16e4f37c6608a890b23a6a801b976f3dc4d11db6274014045d9a4 | Triage

Submit
Reports

Overview

overview

Static

static

osc.js

windows7_x64

osc.js

windows10-2004_x64

Sharing

General

Target

osc.js
Size

380KB
Sample

220620-r1wdwagbe5
MD5

ec13e690ff5ea4cae17f1862b9fa8f3e
SHA1

45963548c7604ac4ead234c6605d0a67e9d29cdf
SHA256

354e6dcfaea16e4f37c6608a890b23a6a801b976f3dc4d11db6274014045d9a4
SHA512

9bb1635b17a41293f7f094947466d45553a16d0209bb6155d5d9d3da3ab8ac8a3e0e2d91a54d85c24b893cb78313bb0d2840d210424a82f94add1f9d515925bb

Score

10^/10

formbook vjw0rm xloader r4wf loader persistence rat spyware stealer suricata trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

osc.js

Resource

win7-20220414-en

formbook vjw0rm xloader r4wf loader persistence rat spyware stealer suricata trojan worm

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

osc.js

Resource

win10v2004-20220414-en

formbook vjw0rm xloader r4wf loader persistence rat spyware stealer suricata trojan worm

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

r4wf

Decoy

eQLhwti8E4CX1m8bp0WK2Q==

axoAyf6nwR9Y43o1nFx+930=

vf9fMlHrgdcI

TRQU8PPgFWegAcLFsjQ5TUX2

CFXUiz7SjsLqcQ==

XKeIL6Nmg+8pokY+wjaooasXRQIt

NLSkgIdanO/4SNPAdlKUrIms7Q==

TTKhgqyuCnCmH7yGa12g8HXrnY/nKGI=

5X0d70pNfaYGRgI=

fXXOk9C1+U9bhkIBIqn8

dN7HmMiv/TtAgyP2tYrEG2Yq4Yw=

HRqUgbJeorn4Zg==

MZ7Sh6xm71vhCNLW

7iFsO188fKYGRgI=

o9VC9kgPVXmCz2gBIqn8

B0y+iMbD+lzhCNLW

ciUeBS0WbdHuVGH+xJU=

Q3334PeyxydNmzoBIqn8

kgHx3RbrgdcI

WQjgo8h9g6YGRgI=

5RSWW31YnAQ0ly3EKxV49Ju7soyJQA==

jnvHrOp+rylh3aQZihBxX5AXRQIt

UvzhyOTBC1WuFalOvTeQFGYq4Yw=

JZKCTnBTlejw6sWEQmBrwWQ=

PsvChalcbbW9/sl9iUyM/Y4MyIY=

twF0UY9YdMf/SOXm7kJHrIms7Q==

U8aniaNnU7TGF6KgX7kkEAfBuXDcuj58

d6kL7Q/Dsv8Qai4y5Dx+bHXrmY/nKGI=

Oy7kr7SLuiFlumMrnFx+930=

YKA43EILPp68Ls2R9Lu9Xg915Q==

OsbEm83iRasRDcDP

N7SzS9W0uRU3jEw+7ZvgQsW07A==

f3LUyOCo6jdfwW4AY1CXrIms7Q==

UVexkL12kKr2QwPEJZ0=

F5PLbMl0rduR24TB

yZuGQ1U5f6YGRgI=

HEOfhKiQJVuUF6ox6uNR0Q==

Y0y0eYw9Q5bD79Ruvg==

aILeq6iNyQqR24TB

dHbUZQWZqMpavHb50CBVrWo=

lEsUpuTUL4KuEa6EVT+F1B7Jgx0z

LDSDX4NENrXnVxAP2rblGjXr

blvKotCPoer5Rvy6VxBcwA==

KMS/ofYGorn4Zg==

EZW+YNdYd+M=

Bop1VFUuccfWIKWmp0WK2Q==

iQDv0R3h0/YxkBU=

NjOefp48RqfbFrOKbecxadZp8ZE=

kTsuEDj5OizhCNLW

w/RTHy0Lc7fSD97wsgCGrIms7Q==

8x18XKJyZ8T1aGH+xJU=

vmxeL0noCmyZBdKGyiE5TUX2

eF22k9DMDF2P/7CBQlx+930=

wO1QPF42ctH+cRIR1is5TUX2

HbqukMjFFHHhCNLW

D0qyl8BhFPRQybNMMafz

rPZqR1Xy/l2Z9H10TVx+930=

bJwP3QPxOZOO0no3oBxixV7nmo/nKGI=

mwL41gvf3SJgzbVlwoI=

dCYI1OqmwRErjloyoInfIWYq4Yw=

Sks251UsiN4K

6qGScqVeRZ7IIuHhx1R7o8aZiyMl

EDaaWIxK/t+R24TB

NSyQY6+MoLlHKmH+xJU=

heatedaffaisr.com

Targets

- Target
  
  osc.js
- Size
  
  380KB
- MD5
  
  ec13e690ff5ea4cae17f1862b9fa8f3e
- SHA1
  
  45963548c7604ac4ead234c6605d0a67e9d29cdf
- SHA256
  
  354e6dcfaea16e4f37c6608a890b23a6a801b976f3dc4d11db6274014045d9a4
- SHA512
  
  9bb1635b17a41293f7f094947466d45553a16d0209bb6155d5d9d3da3ab8ac8a3e0e2d91a54d85c24b893cb78313bb0d2840d210424a82f94add1f9d515925bb
Score

10^/10

formbook vjw0rm xloader r4wf loader persistence rat spyware stealer suricata trojan worm
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookvjw0rmxloaderr4wfloaderpersistenceratspywarestealersuricatatrojanworm

behavioral2

formbookvjw0rmxloaderr4wfloaderpersistenceratspywarestealersuricatatrojanworm

© 2018-2024

Terms | Privacy