formbook | 9d4afb06bbe9a89173e3bdf8b5b8472e52d87c7ca44468d3a5d4681d88bec129 | Triage

Submit
Reports

Overview

overview

Static

static

OVGSGNLTK9...S.xlsx

windows7_x64

OVGSGNLTK9...S.xlsx

windows10-2004_x64

1

Sharing

General

Target

OVGSGNLTK982022 TDR IRIS MIKO 19S.xlsx
Size

176KB
Sample

220705-mesnmsgbcr
MD5

412a8c592355ec728eb128d77a1824cf
SHA1

76a6c61631edb07a0663ab214a57628f460e67fd
SHA256

9d4afb06bbe9a89173e3bdf8b5b8472e52d87c7ca44468d3a5d4681d88bec129
SHA512

8cd985bc5c8061ae1f5b04fade9478ef02125649869027030b4879c68255f7e4376cbdf651497052014562274453609948661e3917338ef6d1b7e1fffe6e6e25

Score

10^/10

formbook xloader a2es loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

OVGSGNLTK982022 TDR IRIS MIKO 19S.xlsx

Resource

win7-20220414-en

formbook xloader a2es loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

OVGSGNLTK982022 TDR IRIS MIKO 19S.xlsx

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

a2es

Decoy

glutenfreebahrain.com

sportrid.com

js-films.com

cie-revolver.com

outsourcinginstitutebd.com

roboticsdatascience.com

tebrunk.com

needgreatwork.com

df1b8j2iwbl33n.life

voluum-training.com

cherna-roza.com

xiyouap.com

bluefiftyfoundation.com

angolettomc.com

yhcp225.com

keondredejawn.com

ifeelsilky.com

coraorganizing.com

smartmindstutorials.com

tanphucuong.info

cxy.cool

criatorioimperial.online

timelyzer.com

chounvwd.com

taxidrivertrading.com

vooyage.xyz

mbtq.financial

tmshop.ma

newexmag.com

wildblumebmd.com

faucetvddw.club

sexism.info

precisionspinecolorado.com

jmigy.com

theplayhouse88.com

theskinrevive.com

envisionexpereience.com

matuschekandcompany.com

zouyuting.com

loansbill-pay.website

albertoalaniz.space

elfstore.net

klapia.online

panxiaozhi.net

soprodutosgeniais.com

amstorex.com

tiktokrycy41.xyz

datisbrick.com

hotelnoucanguillem.com

prekkr.com

jensenko.com

spiritualteashop.com

cyberdyne.world

0xauetw0ye50f.xyz

berendsit.com

kalycollcwn.info

tonenusdt.xyz

ckhla.com

igralki.com

princesskinnymixers.com

tvmountinstallguy.com

choicegoodsshop.com

diamont-services.com

mideazhiyou.com

katescakesandcreations.com

Targets

- Target
  
  OVGSGNLTK982022 TDR IRIS MIKO 19S.xlsx
- Size
  
  176KB
- MD5
  
  412a8c592355ec728eb128d77a1824cf
- SHA1
  
  76a6c61631edb07a0663ab214a57628f460e67fd
- SHA256
  
  9d4afb06bbe9a89173e3bdf8b5b8472e52d87c7ca44468d3a5d4681d88bec129
- SHA512
  
  8cd985bc5c8061ae1f5b04fade9478ef02125649869027030b4879c68255f7e4376cbdf651497052014562274453609948661e3917338ef6d1b7e1fffe6e6e25
Score

10^/10

formbook xloader a2es loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloadera2esloaderpersistenceratspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy