formbook | 8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06 | Triage

Submit
Reports

Overview

overview

Static

static

tmp.exe

windows7_x64

tmp.exe

windows10-2004_x64

Sharing

General

Target

tmp
Size

502KB
Sample

220627-eyn6kaahh5
MD5

6237a36be522069ff7f84128c2cbb5c4
SHA1

2c57d875e90ef11903529ec81862aa01e8945129
SHA256

8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06
SHA512

c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Score

10^/10

formbook xloader iewb loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20220414-en

xloader iewb loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20220414-en

formbook xloader iewb loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

5/mnQbHhJ7IzcYjyQbXXTLo=

luHuIKrfNeUkJOfRV0dA8o3Ghkt95g==

yuh2thpBWtHl2ZV48rXXTLo=

ADcuaODkD5eytord4lbZ/A==

PIWRAgq8/zx4aipDyILc

TdUPJBksRZU=

NorCQjrrH5Gj1Ng=

WXUOku0EDZGj1Ng=

4w8mrX8lanCcoWZLU0SkkkSRd2yx

KIYkq/0QN5gPTFK37XszY0fa

s8lIykhdVZjlEA1g8LXXTLo=

AkBw4LE9RQNHkyRsMQ==

fLzVWEjyMarikyRsMQ==

6j1f2ZsFFRpcylgu

zu3YwbBReoIuUh1vdsGonTCDfw==

EGD0PEju53oDSuwu9765d/4KSkXU3Qxh

rc0aZhksRZU=

Un//ZcCsqyaNtEcnt6mLu7Lqdw==

V4Eqwh4FEHqIflW508EYzYSbOeC5

EiWpwJgAFRV5e1r60cAEdk7Y

VW8Pf9PN65HU1otP4lbZ/A==

FFdOyJcMGxpcylgu

KztLpY85vJkLFw==

yh8vtO4GRPQ2kyRsMQ==

qMfrSiqZvghLUyRy/7XXTLo=

eKTGPwmf3swEq2Y3

aoseYSTrlPsvGQ==

Z6tKw0RfgS5+1o6jbVjF

CyU0azDFBZGj1Ng=

7Cy+5co/ZZbhC8dW6eo=

LXmN0EJimQWHylwnbTS6afIlJZHj+Q==

2R2cFWiX1hlZYz2UKh4i12ikiTP55p5Bfg==

jqHcD+eAi5EYlVrJm0TN

cqO55WilyvQ9mG1P4lbZ/A==

BERqtpY6pZDbB8dW6eo=

VpzDHQBueZvY24qjbVjF

OWUELQ6s28NVxom7evrIPfCLfw==

5iO6Dg619fIVQz+Q3I+ZMdmwry4=

d6GiFh7QJaHO2Jxz8bXXTLo=

NlFh6bdVeihxxT1MH+A+TL3MaA==

0PWJHpPJ9zh3nasMO8FIVq0=

19Fom6FBSQ1QrMU=

aYWBmw6431DfHsdW6eo=

Jj7U++2X3M4Eq2Y3

mounscape.com

Targets

- Target
  
  tmp
- Size
  
  502KB
- MD5
  
  6237a36be522069ff7f84128c2cbb5c4
- SHA1
  
  2c57d875e90ef11903529ec81862aa01e8945129
- SHA256
  
  8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06
- SHA512
  
  c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e
Score

10^/10

xloader iewb loader rat suricata formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderiewbloaderratsuricata

behavioral2

formbookxloaderiewbloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy