formbook | 892386e40db2d9d22e9fe3ddd47f369e6f68757c68aa98ada9c74a346046eac9 | Triage

Submit
Reports

Overview

overview

Static

static

shipping docs.exe

windows7_x64

shipping docs.exe

windows10-2004_x64

Sharing

General

Target

shipping docs.exe
Size

850KB
Sample

220627-mnsp1aaecj
MD5

e1666ef4566ba59ac9cb52fce5bf3438
SHA1

4bd7d742bb83a86046422029b1fce728650be25d
SHA256

892386e40db2d9d22e9fe3ddd47f369e6f68757c68aa98ada9c74a346046eac9
SHA512

c58018a859f0370503c672754893bf272511cafbeb9c1d0894ba7a19055d207ec8e83b57abeac6e578d0deb0db7aa9f49d24115793d60bc263abd91a6cc1fe8c

Score

10^/10

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

shipping docs.exe

Resource

win7-20220414-en

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

shipping docs.exe

Resource

win10v2004-20220414-en

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

gfv7

Decoy

hd4AZDZ3XeSkZ9w0NRn2+JU=

6iAxmGKdumxFEgwp

jM6QcxNUSeCKaUdvvh3g9mffhosQ

d4CC0LS0DjTJS8FdXqd3soM=

S1LPlXEIJY52Og==

doeO7AimsF0NEvFgnIV5

W2TlzH/byHtUU3B7tw==

Y2RAbyZjex2qj6GQv4Q=

ftoOsCpZdfmALQ==

4kqL8v/6rDj8Ohs/wAjkb0gD5Gfiww==

8mVs/AkvwLnIWp4=

yfqAazgHioT8b9yHSKpLDtgY

EyWD5F+Wu3L0xq/VJXgdlnFvBDdUz5WM

jn9ty+pdRNdtcDhJ5k8nwZofm4EJ

s9XVNv4/aRDBUx4w

+vHFE7Fw1rnIWp4=

wC395Yvi6G/3yoWRGW1USxzshi3Dyw==

jcbufIN91gHAUK1RYUMYIdyqpDlUz5WM

iIyoIvZNXwPNmBlBxGk6+A==

C/hTD8h/KWLiMW4Mt/joXyz23Q==

V5ApC8yE9ga07OV4Q61LDtgY

xtLNTFFs/RCJA4orMGL9ApU=

/AKLeE8idfmALQ==

WJL8UAHhVg7FSqAxOWL9ApU=

9iK1jWPdwWJFEgwp

Rz0Nb3NpyLnIWp4=

th3awtVSNNiFPLlnLxPmXyz23Q==

PLAGb2JN/0tFEgwp

DwBJL0vXwz6VU3B7tw==

bOAIYklXEJsP7BUDjxTubP8Q

AzA1r1ApwbnIWp4=

GY7VFP8Z42Eu0zrPgv7M27H2j0s=

M1Xf2X3iJY52Og==

TniK5ZHG5YsoO/UBSCIK04Osyg==

bNielgswlcIx

BT5/syRLwuaFFoo=

zwZKrUOtnTLZkPUBUkIUo7nAxA==

S3TY7rP8Gao+W6GQv4Q=

8vR8aFToJinc8vkLXbaY8pHOkINUz5WM

fn99yILT1WJFEgwp

4CI0fVVcxeyXIYwwPVLo9Iw=

hq6/DbfACpAm

ZJBMLtsgRN6izYKOI6xLDtgY

0w51/t24cgbsNUTkoS3BBZM=

KigtlHKAVuSnOpkzO1Lo9Iw=

QJKEvBztdfmALQ==

JCr9WGswGbg7

cbnlTTM1lc+s9s/6j/3mXyz23Q==

nC9880u66IpFEgwp

8l0tFQeq3HFHilpg32RN0GRVOaxXKO8YOA==

aV4laF9ZdfmALQ==

p8+JhjIKxEMWa1707GVKBdbbhi3Dyw==

lsDLGs6vauq8ERrIkwrU1m76mhgPoVk=

VmL44pRG8A56zSK0xGk6+A==

0MtFU1jACpAm

ASApso7Btzm4sbLiY79LDtgY

ULrfRv1BUwzoty9HxGk6+A==

qasiAbIOJY52Og==

UZN9Xx2miW9FEgwp

zDMIAhSLts63jRpCxGk6+A==

f3gLFxpk+DG+U3B7tw==

qzWSblb1ernIWp4=

+CZPmjzmSGIHjN6BSapLDtgY

jsw3l0sshQ0MzjNRqA==

littlemountainnomad.com

Targets

- Target
  
  shipping docs.exe
- Size
  
  850KB
- MD5
  
  e1666ef4566ba59ac9cb52fce5bf3438
- SHA1
  
  4bd7d742bb83a86046422029b1fce728650be25d
- SHA256
  
  892386e40db2d9d22e9fe3ddd47f369e6f68757c68aa98ada9c74a346046eac9
- SHA512
  
  c58018a859f0370503c672754893bf272511cafbeb9c1d0894ba7a19055d207ec8e83b57abeac6e578d0deb0db7aa9f49d24115793d60bc263abd91a6cc1fe8c
Score

10^/10

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloadergfv7loaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloadergfv7loaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy