formbook | 04c4a1d6a4100879806b4bc04e0d8a33e830a2e4b6f12194b36fffc19c6125d0 | Triage

Submit
Reports

Overview

overview

Static

static

Quote.js

windows7_x64

Quote.js

windows10-2004_x64

Sharing

General

Target

8046606ebe8220adccafc7393e7488eb
Size

266KB
Sample

220627-qpxbcsdbg7
MD5

8046606ebe8220adccafc7393e7488eb
SHA1

a485e9a6ca7380187bd52a616c91302184fe6b6c
SHA256

04c4a1d6a4100879806b4bc04e0d8a33e830a2e4b6f12194b36fffc19c6125d0
SHA512

816f21498b6d11f567bd181dd02fd5371ee7a3df953d25629c53ea9478a08450505c93fd9bbdb61cac280cd3bec311c4eb8e081d4e7e2a0287dc82dd951ae769

Score

10^/10

formbook vjw0rm xloader loader persistence rat spyware stealer suricata trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

Quote.js

Resource

win7-20220414-en

vjw0rm xloader loader persistence rat suricata trojan worm

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Quote.js

Resource

win10v2004-20220414-en

formbook vjw0rm xloader loader persistence rat spyware stealer suricata trojan worm

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  Quote.js
- Size
  
  333KB
- MD5
  
  4dc50abe34a0f0a9fbb86513fe92b109
- SHA1
  
  51a7376ed9e6af9094bdf8a9f862f1a16a5d5485
- SHA256
  
  10b0a88ef7baab52a471dce45a090a692a9ff07b5d34c307d7c2d7192dfc42fc
- SHA512
  
  e0bd6b22f2cdfcb3fa52aecf9372bb3cbe877b9ac804a121bff1fcd0f0639f26679fbfb0e7664665224b0a7ea9bcce9d43c55467763135870d2898f86c98108a
Score

10^/10

vjw0rm xloader loader persistence rat suricata trojan worm formbook spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmxloaderloaderpersistenceratsuricatatrojanworm

behavioral2

formbookvjw0rmxloaderloaderpersistenceratspywarestealersuricatatrojanworm

© 2018-2024

Terms | Privacy