formbook | 985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc | Triage

Submit
Reports

Overview

overview

Static

static

Invoice#58...df.exe

windows7_x64

Invoice#58...df.exe

windows10-2004_x64

Sharing

General

Target

Invoice#5800371 pdf.exe
Size

837KB
Sample

220706-j3vlcscdf4
MD5

328eaa1e53fdeba2a8d99f4a5f0385dd
SHA1

9da77711434bfe5eb4f26365513c7663da5e9885
SHA256

985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc
SHA512

475be1e25abb8697952b5014ebfa6d5e26eb3f0d312739771f4f0f91819f55b3620dbeb76c3bb47a7febf17f8588232d4cecb25cc130f7437d1d810dd8b0586d

Score

10^/10

formbook xloader loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Invoice#5800371 pdf.exe

Resource

win7-20220414-en

formbook xloader loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Invoice#5800371 pdf.exe

Resource

win10v2004-20220414-en

xloader loader persistence rat spyware stealer suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  Invoice#5800371 pdf.exe
- Size
  
  837KB
- MD5
  
  328eaa1e53fdeba2a8d99f4a5f0385dd
- SHA1
  
  9da77711434bfe5eb4f26365513c7663da5e9885
- SHA256
  
  985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc
- SHA512
  
  475be1e25abb8697952b5014ebfa6d5e26eb3f0d312739771f4f0f91819f55b3620dbeb76c3bb47a7febf17f8588232d4cecb25cc130f7437d1d810dd8b0586d
Score

10^/10

formbook xloader loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderloaderpersistenceratspywarestealersuricatatrojan

behavioral2

xloaderloaderpersistenceratspywarestealersuricata

© 2018-2024

Terms | Privacy