formbook | ef5551b32efae3527d147f40eaac18ab0213b7382d5d54bc67fd1c9911007480 | Triage

Submit
Reports

Overview

overview

Static

static

STD 35 GA ...CX.exe

windows7_x64

STD 35 GA ...CX.exe

windows10-2004_x64

Sharing

General

Target

STD 35 GA Plan_DOCX.exe
Size

681KB
Sample

220707-ef76qaehc6
MD5

1cb1b73c99d72a4d1dcc09858ad1cee5
SHA1

76a12baf54b1f66fbccc3728d3e1fc1ca663c6ee
SHA256

ef5551b32efae3527d147f40eaac18ab0213b7382d5d54bc67fd1c9911007480
SHA512

1206dc9ff04af0d47b96a9e7598fa72626f4d56d0f515ce77ab5d0239a5fa9a1f2d67ba72f0354ed77736078cf466814f7ab5b9497d31a0ef7213cec4e332682

Score

10^/10

formbook xloader iewb loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

STD 35 GA Plan_DOCX.exe

Resource

win7-20220414-en

formbook xloader iewb loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

STD 35 GA Plan_DOCX.exe

Resource

win10v2004-20220414-en

xloader iewb loader persistence rat spyware stealer suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

5/mnQbHhJ7IzcYjyQbXXTLo=

luHuIKrfNeUkJOfRV0dA8o3Ghkt95g==

yuh2thpBWtHl2ZV48rXXTLo=

ADcuaODkD5eytord4lbZ/A==

PIWRAgq8/zx4aipDyILc

TdUPJBksRZU=

NorCQjrrH5Gj1Ng=

WXUOku0EDZGj1Ng=

4w8mrX8lanCcoWZLU0SkkkSRd2yx

KIYkq/0QN5gPTFK37XszY0fa

s8lIykhdVZjlEA1g8LXXTLo=

AkBw4LE9RQNHkyRsMQ==

fLzVWEjyMarikyRsMQ==

6j1f2ZsFFRpcylgu

zu3YwbBReoIuUh1vdsGonTCDfw==

EGD0PEju53oDSuwu9765d/4KSkXU3Qxh

rc0aZhksRZU=

Un//ZcCsqyaNtEcnt6mLu7Lqdw==

V4Eqwh4FEHqIflW508EYzYSbOeC5

EiWpwJgAFRV5e1r60cAEdk7Y

VW8Pf9PN65HU1otP4lbZ/A==

FFdOyJcMGxpcylgu

KztLpY85vJkLFw==

yh8vtO4GRPQ2kyRsMQ==

qMfrSiqZvghLUyRy/7XXTLo=

eKTGPwmf3swEq2Y3

aoseYSTrlPsvGQ==

Z6tKw0RfgS5+1o6jbVjF

CyU0azDFBZGj1Ng=

7Cy+5co/ZZbhC8dW6eo=

LXmN0EJimQWHylwnbTS6afIlJZHj+Q==

2R2cFWiX1hlZYz2UKh4i12ikiTP55p5Bfg==

jqHcD+eAi5EYlVrJm0TN

cqO55WilyvQ9mG1P4lbZ/A==

BERqtpY6pZDbB8dW6eo=

VpzDHQBueZvY24qjbVjF

OWUELQ6s28NVxom7evrIPfCLfw==

5iO6Dg619fIVQz+Q3I+ZMdmwry4=

d6GiFh7QJaHO2Jxz8bXXTLo=

NlFh6bdVeihxxT1MH+A+TL3MaA==

0PWJHpPJ9zh3nasMO8FIVq0=

19Fom6FBSQ1QrMU=

aYWBmw6431DfHsdW6eo=

Jj7U++2X3M4Eq2Y3

mounscape.com

Targets

- Target
  
  STD 35 GA Plan_DOCX.exe
- Size
  
  681KB
- MD5
  
  1cb1b73c99d72a4d1dcc09858ad1cee5
- SHA1
  
  76a12baf54b1f66fbccc3728d3e1fc1ca663c6ee
- SHA256
  
  ef5551b32efae3527d147f40eaac18ab0213b7382d5d54bc67fd1c9911007480
- SHA512
  
  1206dc9ff04af0d47b96a9e7598fa72626f4d56d0f515ce77ab5d0239a5fa9a1f2d67ba72f0354ed77736078cf466814f7ab5b9497d31a0ef7213cec4e332682
Score

10^/10

formbook xloader iewb loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderiewbloaderpersistenceratspywarestealersuricatatrojan

behavioral2

xloaderiewbloaderpersistenceratspywarestealersuricata

© 2018-2024

Terms | Privacy