formbook | 55515fcdf9db3576553c72878e05ce6ac03bdf8fd7d8ce1521803d2829c18b75 | Triage

Submit
Reports

Overview

overview

Static

static

soa.exe

windows7_x64

soa.exe

windows10-2004_x64

Sharing

General

Target

soa.exe
Size

525KB
Sample

220706-xfrg3sgaam
MD5

93d8f2525be4725c994a7709cb2e3485
SHA1

17eb478f73c8fbfcae342a3039343c2b3575ab99
SHA256

55515fcdf9db3576553c72878e05ce6ac03bdf8fd7d8ce1521803d2829c18b75
SHA512

76066fea9d90775bfd5d6b03ed078b21e9cb775090ce3c8f4cc879e1c25ab987878b7252d2fa3e6fe0b1826252d7152ab82719219b1a2d8261b1da03d409d48c

Score

10^/10

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

soa.exe

Resource

win7-20220414-en

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

soa.exe

Resource

win10v2004-20220414-en

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

gfv7

Decoy

hd4AZDZ3XeSkZ9w0NRn2+JU=

6iAxmGKdumxFEgwp

jM6QcxNUSeCKaUdvvh3g9mffhosQ

d4CC0LS0DjTJS8FdXqd3soM=

S1LPlXEIJY52Og==

doeO7AimsF0NEvFgnIV5

W2TlzH/byHtUU3B7tw==

Y2RAbyZjex2qj6GQv4Q=

ftoOsCpZdfmALQ==

4kqL8v/6rDj8Ohs/wAjkb0gD5Gfiww==

8mVs/AkvwLnIWp4=

yfqAazgHioT8b9yHSKpLDtgY

EyWD5F+Wu3L0xq/VJXgdlnFvBDdUz5WM

jn9ty+pdRNdtcDhJ5k8nwZofm4EJ

s9XVNv4/aRDBUx4w

+vHFE7Fw1rnIWp4=

wC395Yvi6G/3yoWRGW1USxzshi3Dyw==

jcbufIN91gHAUK1RYUMYIdyqpDlUz5WM

iIyoIvZNXwPNmBlBxGk6+A==

C/hTD8h/KWLiMW4Mt/joXyz23Q==

V5ApC8yE9ga07OV4Q61LDtgY

xtLNTFFs/RCJA4orMGL9ApU=

/AKLeE8idfmALQ==

WJL8UAHhVg7FSqAxOWL9ApU=

9iK1jWPdwWJFEgwp

Rz0Nb3NpyLnIWp4=

th3awtVSNNiFPLlnLxPmXyz23Q==

PLAGb2JN/0tFEgwp

DwBJL0vXwz6VU3B7tw==

bOAIYklXEJsP7BUDjxTubP8Q

AzA1r1ApwbnIWp4=

GY7VFP8Z42Eu0zrPgv7M27H2j0s=

M1Xf2X3iJY52Og==

TniK5ZHG5YsoO/UBSCIK04Osyg==

bNielgswlcIx

BT5/syRLwuaFFoo=

zwZKrUOtnTLZkPUBUkIUo7nAxA==

S3TY7rP8Gao+W6GQv4Q=

8vR8aFToJinc8vkLXbaY8pHOkINUz5WM

fn99yILT1WJFEgwp

4CI0fVVcxeyXIYwwPVLo9Iw=

hq6/DbfACpAm

ZJBMLtsgRN6izYKOI6xLDtgY

0w51/t24cgbsNUTkoS3BBZM=

KigtlHKAVuSnOpkzO1Lo9Iw=

QJKEvBztdfmALQ==

JCr9WGswGbg7

cbnlTTM1lc+s9s/6j/3mXyz23Q==

nC9880u66IpFEgwp

8l0tFQeq3HFHilpg32RN0GRVOaxXKO8YOA==

aV4laF9ZdfmALQ==

p8+JhjIKxEMWa1707GVKBdbbhi3Dyw==

lsDLGs6vauq8ERrIkwrU1m76mhgPoVk=

VmL44pRG8A56zSK0xGk6+A==

0MtFU1jACpAm

ASApso7Btzm4sbLiY79LDtgY

ULrfRv1BUwzoty9HxGk6+A==

qasiAbIOJY52Og==

UZN9Xx2miW9FEgwp

zDMIAhSLts63jRpCxGk6+A==

f3gLFxpk+DG+U3B7tw==

qzWSblb1ernIWp4=

+CZPmjzmSGIHjN6BSapLDtgY

jsw3l0sshQ0MzjNRqA==

littlemountainnomad.com

Targets

- Target
  
  soa.exe
- Size
  
  525KB
- MD5
  
  93d8f2525be4725c994a7709cb2e3485
- SHA1
  
  17eb478f73c8fbfcae342a3039343c2b3575ab99
- SHA256
  
  55515fcdf9db3576553c72878e05ce6ac03bdf8fd7d8ce1521803d2829c18b75
- SHA512
  
  76066fea9d90775bfd5d6b03ed078b21e9cb775090ce3c8f4cc879e1c25ab987878b7252d2fa3e6fe0b1826252d7152ab82719219b1a2d8261b1da03d409d48c
Score

10^/10

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloadergfv7loaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloadergfv7loaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy