Overview

overview

10

Static

static

SecuriteIn...21.exe

windows7_x64

1

SecuriteIn...21.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Trojan.Win32.Fareit.9a2b145f.1321.13942

  • Size

    684KB

  • Sample

    220622-tdw31acda3

  • MD5

    fc54c57b9b4181c30db0748d08cf5450

  • SHA1

    6f2d9b31ff707bdae54cb6b43678e1a4ccfae2d9

  • SHA256

    405fde3cb4a7bce2ea1037d3ad8d241459607340c1a4748599736fd3acdd26b9

  • SHA512

    b75e0cec6f21b9b7c21927b30ada739a7eff793cb7bc2b411d31d4101714391a14df929d90bb2483dc4157677280d4e455097e73f3ad507038ffa2f9f43ab37d

Score
10/10
formbookmodiloaderxloadergqvvn7akloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

gqvv

Decoy

keyclash.com

canadianinspiration.com

testmanagement.xyz

doxpunk.xyz

kodacult.com

snatchbra.net

313370955.com

sarochin.com

norozoto.xyz

nbpanthers.com

colombiaartesanias.com

m57hwtiuu7h.com

tsaerac.com

alugiare.com

elizeusomautomotivo.com

fgijjisdifsd.xyz

isecurewebsites.com

incomeviaonline.com

caribbeanbrunch.com

alveus-solarboote.com

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

modischoolcbse.com

theneverwinter.com

rszkjx-vps-hosting.website

fnihil.com

1pbet.com

nnowzscorrez.com

uaotgvjl.icu

starmapsqatar.com

ekisilani.com

extradeepsheets.com

jam-nins.com

buranly.com

orixentertainment.com

rawtech.energy

myol.guru

utex.club

jiapie.com

wowig.store

wweidlyyl.com

systaskautomation.com

Targets

    • Target

      SecuriteInfo.com.Trojan.Win32.Fareit.9a2b145f.1321.13942

    • Size

      684KB

    • MD5

      fc54c57b9b4181c30db0748d08cf5450

    • SHA1

      6f2d9b31ff707bdae54cb6b43678e1a4ccfae2d9

    • SHA256

      405fde3cb4a7bce2ea1037d3ad8d241459607340c1a4748599736fd3acdd26b9

    • SHA512

      b75e0cec6f21b9b7c21927b30ada739a7eff793cb7bc2b411d31d4101714391a14df929d90bb2483dc4157677280d4e455097e73f3ad507038ffa2f9f43ab37d

    Score
    10/10
    formbookmodiloaderxloadergqvvn7akloaderpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • ModiLoader Second Stage

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks