formbook | 06b80b5b146259aedc1c2f1da5253e2ad1dadae5ba7577a8cc2ce93191f05fa1 | Triage

Submit
Reports

Overview

overview

Static

static

DHL Packag...88.exe

windows7_x64

DHL Packag...88.exe

windows10-2004_x64

Sharing

General

Target

DHL Package _00099088.exe
Size

508KB
Sample

220706-te3beaeegj
MD5

45dfc5671eca20fa6dc4ed9fa70ec804
SHA1

0f483b3fb308168e3af3ce46fcccbde1265da7a3
SHA256

06b80b5b146259aedc1c2f1da5253e2ad1dadae5ba7577a8cc2ce93191f05fa1
SHA512

2e325dae6375815657cea18f3cd26f6ef59dd279d3c7251432b86c3dad554c31b9ded2623841d73cae554c54f5541735793131a40ccfd43eeca2b8c155253255

Score

10^/10

formbook xloader q80o loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

DHL Package _00099088.exe

Resource

win7-20220414-en

formbook xloader q80o loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

DHL Package _00099088.exe

Resource

win10v2004-20220414-en

formbook xloader q80o loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

q80o

Decoy

f7mdaO1bGlX5Y2KU0dHQaA==

Mps3KuD8zIc+NieaquJSbJf4U75PQQ==

XDEHE8tpP4Uwl4NwhsevSqgqP5ct/8Q=

CEQUvkPpweaRAuejNpsk

eknJn0MoEfumZie5yfrBvueX

8oIe8Jy9cTTiBJQ2KQ==

6/uwsnRgUVcChTCjNpsk

OlNvP2P/9Q==

PRAK+/9rNmwT

WC+kTLpjVUQcW14=

UBHyqBYIxX0rI8b3U7MwdKvk/tcjH90=

OaE5CqzVdrSXjokQNg==

pHhRDF7Q2kf2YB5bIywkhp0=

Dg+chDsoFRbFaiGnugOCof5zF9Pr

Qs+IMKxNKFFEizXk

gnDbWFzyYCcEgwoT/mA=

e8GaWAb7quKJREE=

vnEZ65pK59F1Fvex9dw2SbUXMg==

JWlLFJP5ceeM6q2lnt1ZlvK1vtQ=

UblHILLigo4hiA==

K71OMORTCsFznw==

DDjk7OfIrHsG

z03No0e3vjHR9860CHc=

aMFJNAEk2YcvKDHOxRQOlqOQ9sLp

dIh46PaKCsFznw==

ltecpJM3OLdq2Ds8Pg==

sdegtKrf7/qTAeejNpsk

EhCXbPZlI1hEizXk

SuFlJMpDStB52Ds8Pg==

oeHaqyaaXptLt6Gt0dHQaA==

QZ1pTseuaRP+zskwOw==

4PmhhQBwLV4IjwoT/mA=

iNtZPQI6GqGIYTGjNpsk

M1sB86WzZDHVfEgKCV3w/1tKDkfh

Ba1cTRlFAoRvTUk=

j1PNoy/b8XQTNvUJQaUfTKi0WXicPQ0K

2/GooFlPS0PusnPFTOCP2Aaf

6E0bGcAzPq9q55xCg//6UI3iAtcjH90=

WNhpOOIDu2wYCc60CHc=

oB3N35WpaCnMyFtp0dHQaA==

lvekiDtpNOWRqLE/JUfTOljE0tHr6WzUoHQ=

/NVGBrhuS4w1yIspSiwkhp0=

c9o/6VyElotONy2/C485hq2kTtcjH90=

FhGjk0bhjNB9wn14dmgpfJ4=

lI0eLCM+X5xFzZnbIoYSW5eQ9sLp

PBjznxU1D4RvTUk=

JmgSGBTHodBo2Ds8Pg==

0eGlRcfh0sNwNyzm+A5el7WQ9sLp

puuZQoVlDIRvTUk=

xlANFQCwiK9Sv8Dn4h2k6Ch2hCOvaj9mnA==

wYFXdDo0SEXpgy+jNpsk

2NfObKuHQQO2srg0he9oSbUXMg==

xTm6euX//P+nNEBYSHv150NbGdw=

0YM2JgEnJCUHaDCjNpsk

klvhdPQhB4RvTUk=

xhn9phq8vSfcRlOR0dHQaA==

srdtEot1IuyEEa0uWuivIECNhyq4q0pOlTaghg==

YC3ByohsWVxEizXk

QIBbCYEjLqlVoZy6CXw4t9IzWhCsaj9mnA==

KsFmZCSfqAvIWFVZpxfYcKIBU75PQQ==

EPtpIshyGwe3gj+jNpsk

BY89K7mhWQzltmkKBFXcCTfoJg==

EEwt3VDCd7hPd1qV0dHQaA==

gOVlSAsjxYApB860CHc=

lifesreach.com

Targets

- Target
  
  DHL Package _00099088.exe
- Size
  
  508KB
- MD5
  
  45dfc5671eca20fa6dc4ed9fa70ec804
- SHA1
  
  0f483b3fb308168e3af3ce46fcccbde1265da7a3
- SHA256
  
  06b80b5b146259aedc1c2f1da5253e2ad1dadae5ba7577a8cc2ce93191f05fa1
- SHA512
  
  2e325dae6375815657cea18f3cd26f6ef59dd279d3c7251432b86c3dad554c31b9ded2623841d73cae554c54f5541735793131a40ccfd43eeca2b8c155253255
Score

10^/10

formbook xloader q80o loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderq80oloaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloaderq80oloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy