formbook

General

Target

DOC098765567887.exe
Size

924KB
Sample

220624-qp5bzacefp
MD5

80e050ab4a25bd4b4a7c3f9dfa8e82ee
SHA1

0e5cb52d57acd27f0116160c241782116f92b566
SHA256

c3de8aab68d60caf2e468d1d438ca4c8566657a1e78b7a64d4be50d5d688d420
SHA512

97bef20282c4e4a70b96bcc12a5457f449be8a85f20c223ea17ac212562d4063ad0ddc696c21e79edf4851064a44452db01a6c8cfca5eb41393c3f5e6c57ee30

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

zzun

Decoy

JnNtRHyNupy0GqRzAcasu7hb4rc=

Qv593NGLE7p9UNSaVkPXljAJm2QCNnc=

ePArIFWvjkkMgVEVhw4M4Jk=

26rqUwJ7dD0AiDI=

pBAxMHeK741QFw==

kHD7TPt5846pUMTX

56UnjFjHL1i0j659h3LymRnHpQj+SshC

4vKlKHflPqmWXRbrRwfPtrhb4rc=

6LBd4qButFAi

phMzGll8Ue7Fu+inq5cdnPaSugG3

NKswiQGCvZoG5FgsdHEI

rtTHnuUY8M1qVcXV

SOmECrlAt2oGAA==

L1ep9adutFAi

/UE+/AyvE6uEl28weFI=

IP+xMPQxJR4NE6TK

xvW5GN9/rqA5YUoOVt185Sf7Uw==

fRFNW9DhxL6VF7LA

KFYTfkaY741QFw==

W4JGvMBmt2oGAA==

Targets

- Target
  
  DOC098765567887.exe
- Size
  
  924KB
- MD5
  
  80e050ab4a25bd4b4a7c3f9dfa8e82ee
- SHA1
  
  0e5cb52d57acd27f0116160c241782116f92b566
- SHA256
  
  c3de8aab68d60caf2e468d1d438ca4c8566657a1e78b7a64d4be50d5d688d420
- SHA512
  
  97bef20282c4e4a70b96bcc12a5457f449be8a85f20c223ea17ac212562d4063ad0ddc696c21e79edf4851064a44452db01a6c8cfca5eb41393c3f5e6c57ee30
Score

10^/10

formbook xloader zzun loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Xloader Payload

Adds policy Run key to start application

Executes dropped EXE

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2