formbook | 2c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6 | Triage

Submit
Reports

Overview

overview

Static

static

tmp.exe

windows7_x64

tmp.exe

windows10-2004_x64

Sharing

General

Target

tmp
Size

533KB
Sample

220628-x19jdsdfb3
MD5

2ca4db9e581608faaacdd0533b4fd783
SHA1

78065a3d2fdc96c1c9de15a1ca7e39cd96be1137
SHA256

2c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
SHA512

fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847

Score

10^/10

formbook xloader iewb loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20220414-en

formbook xloader iewb loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20220414-en

formbook xloader iewb loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

5/mnQbHhJ7IzcYjyQbXXTLo=

luHuIKrfNeUkJOfRV0dA8o3Ghkt95g==

yuh2thpBWtHl2ZV48rXXTLo=

ADcuaODkD5eytord4lbZ/A==

PIWRAgq8/zx4aipDyILc

TdUPJBksRZU=

NorCQjrrH5Gj1Ng=

WXUOku0EDZGj1Ng=

4w8mrX8lanCcoWZLU0SkkkSRd2yx

KIYkq/0QN5gPTFK37XszY0fa

s8lIykhdVZjlEA1g8LXXTLo=

AkBw4LE9RQNHkyRsMQ==

fLzVWEjyMarikyRsMQ==

6j1f2ZsFFRpcylgu

zu3YwbBReoIuUh1vdsGonTCDfw==

EGD0PEju53oDSuwu9765d/4KSkXU3Qxh

rc0aZhksRZU=

Un//ZcCsqyaNtEcnt6mLu7Lqdw==

V4Eqwh4FEHqIflW508EYzYSbOeC5

EiWpwJgAFRV5e1r60cAEdk7Y

VW8Pf9PN65HU1otP4lbZ/A==

FFdOyJcMGxpcylgu

KztLpY85vJkLFw==

yh8vtO4GRPQ2kyRsMQ==

qMfrSiqZvghLUyRy/7XXTLo=

eKTGPwmf3swEq2Y3

aoseYSTrlPsvGQ==

Z6tKw0RfgS5+1o6jbVjF

CyU0azDFBZGj1Ng=

7Cy+5co/ZZbhC8dW6eo=

LXmN0EJimQWHylwnbTS6afIlJZHj+Q==

2R2cFWiX1hlZYz2UKh4i12ikiTP55p5Bfg==

jqHcD+eAi5EYlVrJm0TN

cqO55WilyvQ9mG1P4lbZ/A==

BERqtpY6pZDbB8dW6eo=

VpzDHQBueZvY24qjbVjF

OWUELQ6s28NVxom7evrIPfCLfw==

5iO6Dg619fIVQz+Q3I+ZMdmwry4=

d6GiFh7QJaHO2Jxz8bXXTLo=

NlFh6bdVeihxxT1MH+A+TL3MaA==

0PWJHpPJ9zh3nasMO8FIVq0=

19Fom6FBSQ1QrMU=

aYWBmw6431DfHsdW6eo=

Jj7U++2X3M4Eq2Y3

mounscape.com

Targets

- Target
  
  tmp
- Size
  
  533KB
- MD5
  
  2ca4db9e581608faaacdd0533b4fd783
- SHA1
  
  78065a3d2fdc96c1c9de15a1ca7e39cd96be1137
- SHA256
  
  2c6f3126b960f02205390cf54a74de6e32d53cc1d6db64cc4744c9cca63ecca6
- SHA512
  
  fcd201fd15e2133052b24b786131d0adb877ba979ce3aedfbb52596dd7636ceb7194df7f1acc5a6d8be1d6fd8e1faea152e2073495fbacadf38728dddbafc847
Score

10^/10

formbook xloader iewb loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderiewbloaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloaderiewbloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy