formbook | 1bec941f244d3f69b90f2b3166509ccffdfb11959003f53c1ef097beaf4a0969 | Triage

Sharing

General

Target

1bec941f244d3f69b90f2b3166509ccffdfb11959003f53c1ef097beaf4a0969
Size

303KB
Sample

220621-jbhgqacbfr
MD5

bef72eb124931f8e96965b4e5062605c
SHA1

f2f7fb4c3c0d130dfec7ede1efa1b5187b759ede
SHA256

1bec941f244d3f69b90f2b3166509ccffdfb11959003f53c1ef097beaf4a0969
SHA512

3d8dd5304f53744a82ab9d01e98bdf776dab77507255f81c1a9d377c3a56c440a5c69b01de7dc7d24671a6b287b9a7cc9a57828ffa371b09f22ea0203ca4556a

Score

10^/10

formbook xloader mt88 loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

mt88

Decoy

syzbf32.xyz

pertlines.com

vybaveniprocyklostezky.com

elianmsalas.tech

a-snag-tokei-kaitori.com

tuvistaing.com

whoyoucall.net

l8e9gr.xyz

sophrologuemontevrain77.com

ciclean.com

the-roel.com

campgreencove.com

foremostbookkeeping.com

zamanscorner.com

efeturozemniyet.com

penelope.team

murata.life

solfuls.com

tradefitinvesting.com

skinbid.pro

Targets

- Target
  
  1bec941f244d3f69b90f2b3166509ccffdfb11959003f53c1ef097beaf4a0969
- Size
  
  303KB
- MD5
  
  bef72eb124931f8e96965b4e5062605c
- SHA1
  
  f2f7fb4c3c0d130dfec7ede1efa1b5187b759ede
- SHA256
  
  1bec941f244d3f69b90f2b3166509ccffdfb11959003f53c1ef097beaf4a0969
- SHA512
  
  3d8dd5304f53744a82ab9d01e98bdf776dab77507255f81c1a9d377c3a56c440a5c69b01de7dc7d24671a6b287b9a7cc9a57828ffa371b09f22ea0203ca4556a
Score

10^/10

formbook xloader mt88 loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookxloadermt88loaderpersistenceratspywarestealersuricatatrojan