formbook | 5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc | Triage

Sharing

General

Target

vbc.exexzpxvhlq
Size

1.6MB
Sample

220626-gymzlshgbr
MD5

52da53b1c61bf409b32f845f3806479a
SHA1

4e4120c159b2ff506c8719332dc38298ac092659
SHA256

5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc
SHA512

3a1ffa7db0f5b90deccbf9f84033e19ed43f9d28006f40c2c8d1cbe7c337f6fd458c966bef0b29c8f1cde725d1e1abfecb65c00b5ae6f908dcb33ecb83c7dbca

Score

10^/10

formbook xloader mt88 loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

mt88

Decoy

syzbf32.xyz

pertlines.com

vybaveniprocyklostezky.com

elianmsalas.tech

a-snag-tokei-kaitori.com

tuvistaing.com

whoyoucall.net

l8e9gr.xyz

sophrologuemontevrain77.com

ciclean.com

the-roel.com

campgreencove.com

foremostbookkeeping.com

zamanscorner.com

efeturozemniyet.com

penelope.team

murata.life

solfuls.com

tradefitinvesting.com

skinbid.pro

Targets

- Target
  
  vbc.exexzpxvhlq
- Size
  
  1.6MB
- MD5
  
  52da53b1c61bf409b32f845f3806479a
- SHA1
  
  4e4120c159b2ff506c8719332dc38298ac092659
- SHA256
  
  5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc
- SHA512
  
  3a1ffa7db0f5b90deccbf9f84033e19ed43f9d28006f40c2c8d1cbe7c337f6fd458c966bef0b29c8f1cde725d1e1abfecb65c00b5ae6f908dcb33ecb83c7dbca
Score

10^/10

formbook xloader mt88 loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbookxloadermt88loaderpersistenceratspywarestealersuricatatrojan