formbook | e058bf557fa6f5e4bfa9b54e3c75b9ae8e1d54c21a88808ccbc2643ace526300 | Triage

Submit
Reports

Overview

overview

Static

static

Quote.js

windows7_x64

Quote.js

windows10-2004_x64

Sharing

General

Target

Quote. pdf......................................gz
Size

189KB
Sample

220626-x3r25aeba9
MD5

1ade9d3347a4bb8820eabb5c119c6f24
SHA1

2beb84b0bb322c7c351c69862a957d754bc2cbbf
SHA256

e058bf557fa6f5e4bfa9b54e3c75b9ae8e1d54c21a88808ccbc2643ace526300
SHA512

726505566ca6b2d272a5c2504ceb4748a0a11ef7d7f3ef1e440b043b806795afef03104503c9d4b9aba0c4200d5340cdabb95e31446d42dfa62146ac601c9554

Score

10^/10

formbook vjw0rm xloader loader persistence rat spyware stealer suricata trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

Quote.js

Resource

win7-20220414-en

formbook vjw0rm xloader loader persistence rat spyware stealer suricata trojan worm

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Quote.js

Resource

win10v2004-20220414-en

vjw0rm xloader loader persistence rat spyware stealer suricata trojan worm

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  Quote.js
- Size
  
  333KB
- MD5
  
  975684a4e4f41819184343aad1824ed8
- SHA1
  
  3292e50015630dc896151bafb32049a6521f062d
- SHA256
  
  7e99192187bcad849b96bc9cd69254a2e68fef8ad1c73df7a410ba90ef2b898a
- SHA512
  
  3c1ebcd24d0305e1685015acf61744f8c8766154309955899309f7bdb7e6c82004201e554aa6f59a68d5c208391478022d4192f8c05631bea64c3e252b26cf11
Score

10^/10

formbook vjw0rm xloader loader persistence rat spyware stealer suricata trojan worm
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookvjw0rmxloaderloaderpersistenceratspywarestealersuricatatrojanworm

behavioral2

vjw0rmxloaderloaderpersistenceratspywarestealersuricatatrojanworm

© 2018-2024

Terms | Privacy