formbook | 9696d3ec13f85ada39b140ae0096e765db0ff630f351ffa1e96484f6a4f2f030 | Triage

Submit
Reports

Overview

overview

Static

static

tmp.exe

windows7_x64

tmp.exe

windows10-2004_x64

Sharing

General

Target

tmp
Size

612KB
Sample

220705-xgjhvsbher
MD5

0229fa24ef686c20e6d50c5a75aa8c27
SHA1

07c4fa01089a3275f88ce4d7fa404040ac638c35
SHA256

9696d3ec13f85ada39b140ae0096e765db0ff630f351ffa1e96484f6a4f2f030
SHA512

bae11a5fa3b52c577f815dbda2aefca1a16475fd694cd62684dd31b6890731f14f1d1a3d147f5a159907b4e7e7dcc2cf5dff80b96a5e2076aa4c5cf7c2b56ca3

Score

10^/10

formbook xloader iewb loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20220414-en

xloader iewb loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20220414-en

formbook xloader iewb loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

5/mnQbHhJ7IzcYjyQbXXTLo=

luHuIKrfNeUkJOfRV0dA8o3Ghkt95g==

yuh2thpBWtHl2ZV48rXXTLo=

ADcuaODkD5eytord4lbZ/A==

PIWRAgq8/zx4aipDyILc

TdUPJBksRZU=

NorCQjrrH5Gj1Ng=

WXUOku0EDZGj1Ng=

4w8mrX8lanCcoWZLU0SkkkSRd2yx

KIYkq/0QN5gPTFK37XszY0fa

s8lIykhdVZjlEA1g8LXXTLo=

AkBw4LE9RQNHkyRsMQ==

fLzVWEjyMarikyRsMQ==

6j1f2ZsFFRpcylgu

zu3YwbBReoIuUh1vdsGonTCDfw==

EGD0PEju53oDSuwu9765d/4KSkXU3Qxh

rc0aZhksRZU=

Un//ZcCsqyaNtEcnt6mLu7Lqdw==

V4Eqwh4FEHqIflW508EYzYSbOeC5

EiWpwJgAFRV5e1r60cAEdk7Y

VW8Pf9PN65HU1otP4lbZ/A==

FFdOyJcMGxpcylgu

KztLpY85vJkLFw==

yh8vtO4GRPQ2kyRsMQ==

qMfrSiqZvghLUyRy/7XXTLo=

eKTGPwmf3swEq2Y3

aoseYSTrlPsvGQ==

Z6tKw0RfgS5+1o6jbVjF

CyU0azDFBZGj1Ng=

7Cy+5co/ZZbhC8dW6eo=

LXmN0EJimQWHylwnbTS6afIlJZHj+Q==

2R2cFWiX1hlZYz2UKh4i12ikiTP55p5Bfg==

jqHcD+eAi5EYlVrJm0TN

cqO55WilyvQ9mG1P4lbZ/A==

BERqtpY6pZDbB8dW6eo=

VpzDHQBueZvY24qjbVjF

OWUELQ6s28NVxom7evrIPfCLfw==

5iO6Dg619fIVQz+Q3I+ZMdmwry4=

d6GiFh7QJaHO2Jxz8bXXTLo=

NlFh6bdVeihxxT1MH+A+TL3MaA==

0PWJHpPJ9zh3nasMO8FIVq0=

19Fom6FBSQ1QrMU=

aYWBmw6431DfHsdW6eo=

Jj7U++2X3M4Eq2Y3

mounscape.com

Targets

- Target
  
  tmp
- Size
  
  612KB
- MD5
  
  0229fa24ef686c20e6d50c5a75aa8c27
- SHA1
  
  07c4fa01089a3275f88ce4d7fa404040ac638c35
- SHA256
  
  9696d3ec13f85ada39b140ae0096e765db0ff630f351ffa1e96484f6a4f2f030
- SHA512
  
  bae11a5fa3b52c577f815dbda2aefca1a16475fd694cd62684dd31b6890731f14f1d1a3d147f5a159907b4e7e7dcc2cf5dff80b96a5e2076aa4c5cf7c2b56ca3
Score

10^/10

xloader iewb loader rat suricata formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderiewbloaderratsuricata

behavioral2

formbookxloaderiewbloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy