formbook | d5e68b8de115bfa8d06d5f407c3e6f9c95f545ff4a9ee16f9ba2706993cdd7c0 | Triage

Submit
Reports

Overview

overview

Static

static

fzejdpOSxr_bin.js

windows7_x64

fzejdpOSxr_bin.js

windows10-2004_x64

Sharing

General

Target

fzejdpOSxr_bin.js
Size

359KB
Sample

220705-pp2qeabaf9
MD5

84fa540039df7abc11a136c8a43fde22
SHA1

175daef8a581ff8ae86cded1cb6f68373d665dda
SHA256

d5e68b8de115bfa8d06d5f407c3e6f9c95f545ff4a9ee16f9ba2706993cdd7c0
SHA512

7715e6ae047fdfee1ba18aa1adccb28f1608b591a5e710c687f8c599486163b85a432edbbebdeef2301cf779c969cfee1578ad75a57aceb6f8589b2c054595b5

Score

10^/10

formbook xloader mdzq loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

fzejdpOSxr_bin.js

Resource

win7-20220414-en

xloader mdzq loader persistence rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

fzejdpOSxr_bin.js

Resource

win10v2004-20220414-en

formbook xloader mdzq loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

mdzq

Decoy

leop.red

actoconcept.fr

doesmee.com

goplygolf.com

cqshki.net

leflegme.com

wgamersport.xyz

4513367.com

shpoweronline.com

ingeniousconsultingservices.com

dentaldenalia.com

saaraba.net

artnow.media

sbwyt.com

nortonrosefulbrigiht.com

autorad.xyz

clergyfundingandinsurance.com

boarko.com

xn--zoom-kh4j.com

739lakemuirdr.com

nhcabling.com

la-bites.com

bostoncleaners.net

q5p0ih89ufw9q5a.site

davincimarblle.com

albite.xyz

earaproperties.com

xn--vsqs7b5yfhum230a.xn--55qx5d

marketreservation.com

n5ply9.com

bestquest.club

hs8068.com

uniqloot.com

arcadestatus.com

seidsaleh.com

a4africa.com

renchies.com

sunilrpatel.com

pdbet168.com

yzshm.com

zhongheyouzhi.com

citraudaysinfinity.com

dk2arnw64qr9vd.life

bornean.website

italianchef.menu

slotdanatanpapotongan.com

aplomber.com

strictlyusedgolfokc.com

westfargo.xyz

46magic.com

desenvolvimento-curso.online

bynicholls.com

wintegrative.com

help-dunya-international.com

swindonconcretepumps.com

ghantasaala.com

fishgaudy.space

hml.email

colwoodrealtyauction.com

markjfinlay.com

madelineagnes.site

thecoastalgranddaughter.com

kreditrechner.pro

thebolingerfamily.com

marijevanrijn.site

Targets

- Target
  
  fzejdpOSxr_bin.js
- Size
  
  359KB
- MD5
  
  84fa540039df7abc11a136c8a43fde22
- SHA1
  
  175daef8a581ff8ae86cded1cb6f68373d665dda
- SHA256
  
  d5e68b8de115bfa8d06d5f407c3e6f9c95f545ff4a9ee16f9ba2706993cdd7c0
- SHA512
  
  7715e6ae047fdfee1ba18aa1adccb28f1608b591a5e710c687f8c599486163b85a432edbbebdeef2301cf779c969cfee1578ad75a57aceb6f8589b2c054595b5
Score

10^/10

xloader mdzq loader persistence rat suricata formbook spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadermdzqloaderpersistenceratsuricata

behavioral2

formbookxloadermdzqloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy