formbook

General

Target

c17715a67289a3e47a4dbb56e58d2298.exe
Size

679KB
Sample

220705-pwq79abbc8
MD5

c17715a67289a3e47a4dbb56e58d2298
SHA1

07c15664f30d9254aa053884423981bac818a57d
SHA256

2325ce40759e57ccc4f3fadde95aff3298fc4941ca8eca803ccf1588a879c13a
SHA512

a461c3072685f900b9269f0200c1e4a0c70658764c5e647e2bf2784370e848671f8f88f2b090bd926204d65eb687ea5a1da66240a61255e0238ab0c2ed193f65

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

Targets

- Target
  
  c17715a67289a3e47a4dbb56e58d2298.exe
- Size
  
  679KB
- MD5
  
  c17715a67289a3e47a4dbb56e58d2298
- SHA1
  
  07c15664f30d9254aa053884423981bac818a57d
- SHA256
  
  2325ce40759e57ccc4f3fadde95aff3298fc4941ca8eca803ccf1588a879c13a
- SHA512
  
  a461c3072685f900b9269f0200c1e4a0c70658764c5e647e2bf2784370e848671f8f88f2b090bd926204d65eb687ea5a1da66240a61255e0238ab0c2ed193f65
Score

10^/10

formbook xloader v4qp loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Xloader Payload

Adds policy Run key to start application

Blocklisted process makes network request

Executes dropped EXE

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2