formbook | e37b466a994825e7a44f625de253fc03dedd0d042127b035423f5dd2370d2f77 | Triage

Submit
Reports

Overview

overview

Static

static

Heineken_902738.exe

windows7_x64

Heineken_902738.exe

windows10-2004_x64

Sharing

General

Target

Heineken_902738.exe
Size

753KB
Sample

220705-wtgz5abfeq
MD5

7901c752f39af02c460c45bb8c056578
SHA1

c4afb3557c24fe5e8eb4f163ff3d2f8d08a76b24
SHA256

e37b466a994825e7a44f625de253fc03dedd0d042127b035423f5dd2370d2f77
SHA512

61b8f79757a7d6e61e21bc7773c9ae4f2db7fa24175cd5b7d91e3f277bb59d4cff69888ff3c23d801d19cef97b38e7a772c580d8eee832112b8849cfbbdfe85b

Score

10^/10

formbook xloader nekq loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Heineken_902738.exe

Resource

win7-20220414-en

formbook xloader nekq loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Heineken_902738.exe

Resource

win10v2004-20220414-en

formbook xloader nekq loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

nekq

Decoy

/c9oNOPSc9aX85OuoqU=

OJ273U/T/c7no1jC

oPn68XFXJsCG6JOuoqU=

iAUbpb8k0vTRkUTK

pPasgiv9XQi4ESRJKCjRfGdj

J5jO/Yz6+M7no1jC

XdhiI9HBZsZlyKZ1jPx+JvxZEg==

uKpYHaMJ+OCnb0yGJ5d4Fg==

9/aD58LBdIIAdGJIaaiSTSuqn1/A

Q52txESw1ro3n3NlouzWgmgm06DFAvFR

nv0k5OdLOI8bBbwMrO7Lp059Fw==

NJ3N6nHo3qKAhDZJKCjRfGdj

z0FFAyMlzFonbTkMu79n

IxOiRvLolOiHw2lEcphyDfqqn1/A

Pi0Kkdu8Vr84Fg==

hGmJW4f0Eelq7fRazg3f1qZr

+O+SUb0HHflx55l0J5d4Fg==

raG3zxXI4rgz6Ipsia0=

OZuQHihvYzPayG4Ax70=

EYKIJDSGpYffFZOuoqU=

RiG6fwJkVjf+upSGq+xqGvQ=

yMn8IKcnhfKr3cHW3dKGOst5Kfs=

NJS+fG/HsPma6sbp3FFo

eVFb1AZ3DH4b

61TNckYVfA==

ffMnSNFQfVrHZ2IAtOCqYizuyKnX

70RqO2HkGKkkG8vp3FFo

92V/ICpI9lXQx7AWin7f1qZr

29FtIMG4Zs+F4czG2dqNOMt5Kfs=

PzfOODMoxB3no1jC

jwh3GdLHaeSX7pOuoqU=

baLRnrWxTW8Pz+c=

/FlqMm13mWUh2b2pmsrAajtrFg==

18ltMLMePUwXyKKBoPfLp059Fw==

txKXwLInM18=

+d3yvetQd4U4FAqXMx+7YEVLIL1MtA==

bkVE1kps4Ug=

FoXxgcq7Vr84Fg==

fPX3mcgiSWYsA9Y18CPhx4LIcjsNvA==

9mGfxRFdSy0AxHLRhvZYcct5Kfs=

KYWoUYfq3IfymWDGJ5d4Fg==

L6GuerAcEGjpDPJRyA3f1qZr

xBJS8ejSPw63i3X6oLlcB6TWinDFAvFR

RS/FdzYij6ekBfA=

eeZribK9ZbhQjnumV3M39ONxG5ysZms=

3T1rCx2hxKCGmYjgJ5d4Fg==

gn0m8664WreN2bYHjXvf1qZr

BHIAHzyRs4szCvCADVRrFvuqn1/A

OyPKafPXcI3JGoPp3FFo

vSWNGaywKfRx+ti72An8n3Qy26HFAvFR

oH5ADLfKfYHtdSV67/PGp059Fw==

jwL6h4vyE+/A3LoJjXvf1qZr

Xs9Zc2deDC9V8+k=

T5+bMXJEq4EOpWo4KnA/JRB0Hw==

e+oUSQb+r8NI5c6or+xqGvQ=

wjXF2vHymfKODIJZfKo=

T0A5XQuKf1AE+G/Iaw==

+O2YZgehQqekBfA=

LY8YRnN7UkRTvJrV

xkVcJFDA8c7no1jC

Ze4Rn6IiDDhTvJrV

XU3mjCPwkCTjF5OuoqU=

+tMPp6nFfw/aG5OuoqU=

Y9HTKZMsX7J8o2IlOF/757hy

pakujwalize.xyz

Targets

- Target
  
  Heineken_902738.exe
- Size
  
  753KB
- MD5
  
  7901c752f39af02c460c45bb8c056578
- SHA1
  
  c4afb3557c24fe5e8eb4f163ff3d2f8d08a76b24
- SHA256
  
  e37b466a994825e7a44f625de253fc03dedd0d042127b035423f5dd2370d2f77
- SHA512
  
  61b8f79757a7d6e61e21bc7773c9ae4f2db7fa24175cd5b7d91e3f277bb59d4cff69888ff3c23d801d19cef97b38e7a772c580d8eee832112b8849cfbbdfe85b
Score

10^/10

formbook xloader nekq loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloadernekqloaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloadernekqloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy