formbook | 756240595bd69e9c3415ff6c49e8703dc2bb54bdaa0d2914ce5e33ab92f51813 | Triage

Submit
Reports

Overview

overview

Static

static

PO1286482.xlsx

windows7_x64

PO1286482.xlsx

windows10-2004_x64

1

Sharing

General

Target

PO1286482.xlsx
Size

78KB
Sample

220621-wmshaabfd7
MD5

1122f29208098e9d39655827fe7efbd6
SHA1

fca1db5fff0698113d88e70c876a63e630a6ff0e
SHA256

756240595bd69e9c3415ff6c49e8703dc2bb54bdaa0d2914ce5e33ab92f51813
SHA512

16469a4999250767b4cc4a6df0642fc7215b1d87fd77fb60ae06b32cda06c871b04b63f8b7187cb49faaa331825006118c0308af946f5d38201b430b393a5416

Score

10^/10

formbook xloader zgtb loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO1286482.xlsx

Resource

win7-20220414-es

formbook xloader zgtb loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO1286482.xlsx

Resource

win10v2004-20220414-es

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

zgtb

Decoy

gabriellep.com

honghe4.xyz

anisaofrendas.com

happy-tile.com

thesulkies.com

international-ipo.com

tazeco.info

hhhzzz.xyz

vrmonster.xyz

theearthresidencia.com

sportape.xyz

elshadaibaterias.com

koredeiihibi.com

taxtaa.com

globalcityb.com

fxivcama.com

dagsmith.com

elmar-bhp.com

peakice.net

jhcdjewelry.com

moradagroup.tech

luminantentertainment.com

originalfatfrog.com

istanbulbahis239.com

digismart.cloud

egclass.com

video-raamsdonk.online

enjoyhavoc.online

elegantmuka.com

crememeup.store

gasgangllc.com

worldmarketking.com

johnywan.icu

ctxd089.com

vipbuy-my.com

cboelua.com

sitesv.com

7788tiepin.com

unionfound.com

freecrdditreport.com

symmetrya.online

thinoe.com

line-view.com

immobilien-mj.com

alignedmagic.com

mecontaisso.com

plumberbalanced.com

zhouwuxiawu.com

obokbusinessbootcamp.com

chance-lo.com

jujuskiny.com

kkrcrzyz.xyz

daquan168.com

groupeinvictuscorporation.com

leadswebhosting.com

payphelpcenter950851354.info

subvip60.site

ink-desk.com

luminaurascent.com

jivraj9india.com

topproroofer.com

nxteam.net

can-amexico.com

premhub.club

zs-yaoshi.com

Targets

- Target
  
  PO1286482.xlsx
- Size
  
  78KB
- MD5
  
  1122f29208098e9d39655827fe7efbd6
- SHA1
  
  fca1db5fff0698113d88e70c876a63e630a6ff0e
- SHA256
  
  756240595bd69e9c3415ff6c49e8703dc2bb54bdaa0d2914ce5e33ab92f51813
- SHA512
  
  16469a4999250767b4cc4a6df0642fc7215b1d87fd77fb60ae06b32cda06c871b04b63f8b7187cb49faaa331825006118c0308af946f5d38201b430b393a5416
Score

10^/10

formbook xloader zgtb loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderzgtbloaderpersistenceratspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy