formbook

General

Target

Payment_advice.zip
Size

503KB
Sample

220626-wgaehsdgf7
MD5

08508550025bb5f7ce3406f024d59866
SHA1

40dca5481e72f6c0ce1dca4cbe6a6ffa4ad2e999
SHA256

4237d332153f101ff689faa94faedbfb86efcc02df86d8927681b9705eb1b6cd
SHA512

7680b5efe530e6d7ce2d73a4ed71c44dbecac779357ba779540168844ff7d19d7bc162a88817ca6223e02a146690ad4e08f428d64fd9f1adfc47ee3bd7cc828a

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

Targets

- Target
  
  Payment_advice.exe
- Size
  
  769KB
- MD5
  
  560d32891531b1b707f3382ae9c56b85
- SHA1
  
  f18aa28ee289221ca9a6bb67a8be92f4be087994
- SHA256
  
  6481c836c532a3f055c0239f0459af303c5eda0c95a3f0283bba568b060967e5
- SHA512
  
  e1f4fae2b4c0d40db1052995cc5d9e86ea85e838492ac42c0762fd6e916eab1f014fb3f17a20a371679f95ab780bca4e7da2b0bb78f779e2c6560206f97a0178
Score

10^/10

formbook xloader v4qp loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Xloader Payload

Adds policy Run key to start application

Executes dropped EXE

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2