formbook | 7d7f61dcd91716fad45ca306c59abcae50f15efe605825c0b9f8e6610c6d2fca | Triage

Submit
Reports

Overview

overview

Static

static

New order ...22.exe

windows7_x64

New order ...22.exe

windows10-2004_x64

Sharing

General

Target

New order 07,06,2022.gz
Size

580KB
Sample

220706-j7j1esaefm
MD5

11c52c5d7dab09b958b961f7808443cb
SHA1

11ad298f2a2c7bd25037eb6116a5b2fbaa599b83
SHA256

7d7f61dcd91716fad45ca306c59abcae50f15efe605825c0b9f8e6610c6d2fca
SHA512

10f5f40a6a3da477ba16ca040c9752170d17eb7a3a3148f9f010373335e79d1bf12aed3dce43a4c674b8b7521fde9d4254f7233b06f00aaa88d5edf6acd2bb1d

Score

10^/10

formbook xloader loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

New order 07,06,2022.exe

Resource

win7-20220414-en

formbook xloader loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

New order 07,06,2022.exe

Resource

win10v2004-20220414-en

formbook xloader loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  New order 07,06,2022.exe
- Size
  
  626KB
- MD5
  
  1287d9ae257300407cf7490872764eab
- SHA1
  
  b71bc21b67a5b1031ed873b02e54726394c90060
- SHA256
  
  f6db3a2b3160b40742b164c6bbe0496368f4fc52d1a16757a49d023f5189b428
- SHA512
  
  4ebd21f597a8c5025216aa44df4d44afeaadb16729cf049b95a329ebd0d47def09c5fbd9f518dd0560101ffe5c30405f6ecf13e9502841bfcf8c52332ee8d13e
Score

10^/10

formbook xloader loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderloaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloaderloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy