formbook | 4863509ff407e4a6389305b5555bc804aa5df9b67290feeb1e36bf68f40696e1 | Triage

Submit
Reports

Overview

overview

Static

static

Scan SOA.exe

windows7_x64

Scan SOA.exe

windows10-2004_x64

Sharing

General

Target

Scan SOA.exe
Size

500KB
Sample

220706-y29q8aahg6
MD5

e69167de6d19a41819f25de01cd10aef
SHA1

c302c06e1cb00e72013b0671ba0db1a541673289
SHA256

4863509ff407e4a6389305b5555bc804aa5df9b67290feeb1e36bf68f40696e1
SHA512

73ec2711e5c3076fee07a03db0289887946a66d3f6656ece5a12db6ad672424368a6e9b5feb339b97a8cec63bf3869b8062f90335fb58e99a9894ef0afa742e1

Score

10^/10

formbook xloader nmd2 loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Scan SOA.exe

Resource

win7-20220414-en

formbook xloader nmd2 loader persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Scan SOA.exe

Resource

win10v2004-20220414-en

formbook xloader nmd2 loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

nmd2

Decoy

FNWENUOMqqSv0Q==

ls6DEbQ1KBCeSsvUyRg=

mwgrjwpFplaykGoT

Uzzj8yXi13iLMnNGZcnViQliwA==

T7vzj0l0lqquyA==

csHzBjwvF7rmjcmWxjThd61NuuVl4gQ=

YaXyTwg3p1vrf/n9kYJQjrc=

cHAfFEI1JKDF4mTsGjDbeg==

TdDv+o9VSFep3wgTtY0swqQ=

Jw66vdyXdRZG9jJZycLD

icGvsuKZgXNid1M=

6m6H0GvguY+vZZpcioudbQ==

kNUBYMuymhgm2b0q3bEAiQliwA==

M3SiAXRbVe0XAsxDOIp6cg==

+eWLk+HjRRe3LuyavQ==

753R3QYD8XOWtWI0ouGpYw==

dRg+bQZ6TSbC8Sbs2mXXxLM=

kDlUsE+U7Y/RfUQ=

oENlcFZVqqSv0Q==

HCC+nbachxEs1f29GjDbeg==

ctsJlTxo3LFbK0RZycLD

VAV965YJquX+b2gE

wUpcvG0A0kxkhA6dsxec/Ufb

+Kzh3Pz/WTFKLuyavQ==

5IBvVoiTqqSv0Q==

qhS7ELozBsxWGdGNLWXXxLM=

sIdm8Gid7Y/RfUQ=

o9jFl8KnrZEe2UrO2mXXxLM=

eecJaOIceBS8YCLfz2XXxLM=

wvauO+RYyniHRncupG0Ten2V2PDf

meDvRhWM7I/RfUQ=

LlL2kO+2mQQBt6Mbi3M85yXR

/5hqNCjixE1T+DRZycLD

mghXL0b5y1BTAeKFZgcVnbs=

vpRLqCgVpBo+

MhWVgapZL/AkxgTV9WAniQliwA==

G1w14UrRoHGpQ2UVK4BOy+cryA==

Xfjtvd7Rx2B9KWsoP7tp2dGrHmR49g==

YV3YuM5Fbwwp

6l5Yu2CUBLdfCsCe1E47UUFRqOVl4gQ=

zvsbe+zuUwGeQ8vUyRg=

1cI0GBeUfY/RfUQ=

nWgfnkDEUGOJLuyavQ==

0bosGEv++89jmJdZycLD

k55xymOPqqSv0Q==

9Vo/hSEVpBo+

Goh71Ec2I5igPHhLh/mfMmK1d4RK4BA=

ejin8nSfnQonPPibLWXXxLM=

yQUskS2vGpw=

YCbKnMOAcS5Y+zBZycLD

UsS4CoF4lqquyA==

FpSWpcVFbwwp

vFSrpMeaqqSv0Q==

tFR01kVKp0L6IRiD9c7Of5Gus1L3/g==

yr44IihjQHNid1M=

2VRJm0F25df4EZY9bdXViQliwA==

jm/jvLpEJfmbUfbOAH5IaYmZTuVl4gQ=

iYId/jAYAao9W1Oz20NHfcakEBY=

tiUNWfcurI6YSYQ5U7m4ysDQLVBMgdA6iw==

ZeixX31Fbwwp

7FBmslXBOQwbzrIwoXNBiQliwA==

VVr3w7qAY8/hAH5hZsDU

vDlm1IsR5KjVf276e18NPWGBTOVl4gQ=

IxGhEq722C9Yfbn6GjDbeg==

gelasbeauty.com

Targets

- Target
  
  Scan SOA.exe
- Size
  
  500KB
- MD5
  
  e69167de6d19a41819f25de01cd10aef
- SHA1
  
  c302c06e1cb00e72013b0671ba0db1a541673289
- SHA256
  
  4863509ff407e4a6389305b5555bc804aa5df9b67290feeb1e36bf68f40696e1
- SHA512
  
  73ec2711e5c3076fee07a03db0289887946a66d3f6656ece5a12db6ad672424368a6e9b5feb339b97a8cec63bf3869b8062f90335fb58e99a9894ef0afa742e1
Score

10^/10

formbook xloader nmd2 loader persistence rat spyware stealer trojan suricata
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloadernmd2loaderpersistenceratspywarestealertrojan

behavioral2

formbookxloadernmd2loaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy