formbook

General

Target

SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.24674
Size

642KB
Sample

220705-rkjp5saacq
MD5

5f8b5e708fac3e104ce3ccfa9570e1bb
SHA1

4fa68f6cadcb8d54ebf700cc6105f3d601f56f83
SHA256

36c82bea7381b157879abc9aedfa192d05ed7a5735781fedd248000e1364bade
SHA512

ed2f0a4b4826accfeff0ca73aac71a05ea813b23e010750b4becaae6b6262fcd914ce09e6986290c9762063e35b657444ef137600c5b89aa44fe490a8f998953

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

qm5s

Decoy

0hik40Q3UhxPsw==

JISUEx3s7xDypTBW

i9pv35p8mq/efPnMnjc1

d4OyCX3u9cQP8Lg=

2BLgZcivstP+

pAC7/mJD57GtLrGkijZAM4GQ

oa5Jvt6QpWLmu4hJ7A==

zQh+7kjKwlHfu4hJ7A==

v7xT2kCqy/QN7sKJtRpBtXbvxmvJiZRxjA==

JR0YYed9qFflu4hJ7A==

ovXuQiQQExpJ43yWMufw6X0FblY+

TJrP8LKDiabXu7dZ8Q==

EWVThU33hz1SKSGFmuk=

U5hFmhXVHoMVpA==

DUAxo4ghz4lpeLBV5Zm2Cnbbzhw3

3EbjPYoyPdZ9SDxzAIvOlUCY

2AGmAHBX0neTLcX9lRt2xUTLiuNcRrw=

dGMClACgFTrpu4hJ7A==

S0XMDQKAN2zzlQ4oz4HOlUCY

IUfZIC6jOFTjvP6U8yd3Mw==

Targets

- Target
  
  SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.24674
- Size
  
  642KB
- MD5
  
  5f8b5e708fac3e104ce3ccfa9570e1bb
- SHA1
  
  4fa68f6cadcb8d54ebf700cc6105f3d601f56f83
- SHA256
  
  36c82bea7381b157879abc9aedfa192d05ed7a5735781fedd248000e1364bade
- SHA512
  
  ed2f0a4b4826accfeff0ca73aac71a05ea813b23e010750b4becaae6b6262fcd914ce09e6986290c9762063e35b657444ef137600c5b89aa44fe490a8f998953
Score

10^/10

formbook xloader qm5s loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Adds policy Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2