formbook | 3580439625a85986a0a0428e95a2c22b246c509e340082c3c03e24abc997c9d5 | Triage

Submit
Reports

Overview

overview

Static

static

PO_200251-269312.js

windows7_x64

PO_200251-269312.js

windows10-2004_x64

Sharing

General

Target

PO_200251-269312.js
Size

363KB
Sample

220705-pqlqksbag5
MD5

44caad4df8dbf71425f53a4164300228
SHA1

bcbb189276805f815d92575e026ee95c59c2a772
SHA256

3580439625a85986a0a0428e95a2c22b246c509e340082c3c03e24abc997c9d5
SHA512

309ca938b4050518afe95b9b8c44c550ecfb6cdea5bea8d8ed7c42d302808bd78efb2ea0338f9f73442dde44ca0acb5702848b97f56183cde2e38516726f769c

Score

10^/10

formbook xloader vs8g loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO_200251-269312.js

Resource

win7-20220414-en

formbook xloader vs8g loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO_200251-269312.js

Resource

win10v2004-20220414-en

xloader vs8g loader persistence rat spyware stealer suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

vs8g

Decoy

xEVEsySadSMf8UUC

H8ZbYtGKWPCfp91+uS3TFo/F7tYacwDqHw==

L/St5UjIhTMzEHsb

8h8tDvq0nl8JCWoagxa0MVyvnA==

7bml44z9jZsZx8Co2T8=

EwH88ZtcOu8ehs2P2o6wv78FEe4+xRQ=

bTn3LpE1HfpPAXI=

nYxT+9GLhS1d3zzGJuTDlgpT

HxonIwh8TesenMCo2T8=

Ki83MiehhC9e1i7YQ/Wd32JsGcun

wHcUByFRMuEGh8Co2T8=

86tqpg/Jy60eFmMRPefDlgpT

grSUYa5yahUf8UUC

HVviVsk7Cb6Elc571pnSWCJ93G17PkiI

6LJ1qBPUtGNIl8Co2T8=

AYuWD33xt44VxsCo2T8=

/smXvLMh868VzQqs99/DlgpT

1kEMNVtaMw6KmN+YANYm+kA=

daarti3nbFVKnsCo2T8=

0EJM6cFFHvawA2U=

WZmLjeanlDoDRmMJeRfM

CAnpqoPMmEdBmsCo2T8=

S7NRSknz2IDxrfexzMWcXg==

hbhFvI9GHbYe6lDkMNYm+kA=

ZDYJSK5aKMqTmgGwC9pyCcxc

WBqkiYw6Cq0R1EEHeRbNVMfUWPW+

nDdqqAaRcAQ=

lsLX1cM9FrbMFXIZc/m0MVyvnA==

YceJrx3/7aDcctOaFZQygvVPcl0=

S7Byvh2dXnV5TF0kfw==

zaBZEvt6+etgHQ==

zwcVn349GMs38kfqNPO/MVyvnA==

wi/0NwnAbRwf8UUC

8vYWUbleFPawA2U=

lllK3cr5kDsC

QwHKGfaybiUf8UUC

gGk69u/TalUKIoyTx6PE

6lstUki4iTx4TF0kfw==

1hwVGQl6+etgHQ==

55QxLhZ++etgHQ==

XpUZkHZSGPpPAXI=

b/rRDHMmDMn8lQu9I93DlgpT

grW5q74PiWDh3b3TzoJzZd9Z

HctUSLGkTy0gaK06mjc=

742P/3XnqmZMnMCo2T8=

SwOlZ8q6chM=

XMtX4gaRcAQ=

gqO80CPQo05EmsCo2T8=

jDfY4dVROPVVTF0kfw==

HBcQ9d1lQvL/PYEEPefDlgpT

1FkgSrtsNNTKIJuTx6PE

KKNX0Knpqz0V

JNPadlPYyGVkscCo2T8=

+a2vJgnRyHi2SZJOyJlQn07X7s0acwDqHw==

IE9RTrmihShQ4jrezMWcXg==

+FPcOAZW3vawA2U=

XSH8PZEHwmk2Tp+Tx6PE

0odKiwftyW2aAUnfM9WPZ/RK

Ih8VBfKimjFn/24iVgcM8/VPcl0=

JYeAApzpqz0V

mQGklYL+yXHRpCHTLtYm+kA=

aduCh9uUg2zu60oK

1QcE/VwM0bhnrwCbzzw=

6NujcFnPuV5MnMCo2T8=

madeinfrance.plus

Targets

- Target
  
  PO_200251-269312.js
- Size
  
  363KB
- MD5
  
  44caad4df8dbf71425f53a4164300228
- SHA1
  
  bcbb189276805f815d92575e026ee95c59c2a772
- SHA256
  
  3580439625a85986a0a0428e95a2c22b246c509e340082c3c03e24abc997c9d5
- SHA512
  
  309ca938b4050518afe95b9b8c44c550ecfb6cdea5bea8d8ed7c42d302808bd78efb2ea0338f9f73442dde44ca0acb5702848b97f56183cde2e38516726f769c
Score

10^/10

formbook xloader vs8g loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloadervs8gloaderpersistenceratspywarestealersuricatatrojan

behavioral2

xloadervs8gloaderpersistenceratspywarestealersuricata

© 2018-2024

Terms | Privacy