formbook | 2e873f06eaee2a2cd585af2aa78e88023e91439a6cec6e4ea7a9ee0f192cc3f9 | Triage

Submit
Reports

Overview

overview

Static

static

ORDEN DE C...83.exe

windows7_x64

ORDEN DE C...83.exe

windows10-2004_x64

Sharing

General

Target

674fca050513e3572415cc164a1a4d46
Size

826KB
Sample

220707-f87lbsdgfk
MD5

674fca050513e3572415cc164a1a4d46
SHA1

20449021a209a2f52cc7cecc361fb582cbfe3ddf
SHA256

2e873f06eaee2a2cd585af2aa78e88023e91439a6cec6e4ea7a9ee0f192cc3f9
SHA512

4146a349b34faa8adf8eefa19156f0cbdef441038734de882663ea580667c13512560c7f91c29ce2c1c9748a477687da4b2fb3fda370df8c297b2cf1ea8805bc

Score

10^/10

formbook xloader 3qfc loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

ORDEN DE COMPRA 478483.exe

Resource

win7-20220414-en

xloader 3qfc loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ORDEN DE COMPRA 478483.exe

Resource

win10v2004-20220414-en

formbook xloader 3qfc loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

3qfc

Decoy

8ZNHCqHC6crNVA==

AiX30yGSn4lTRru48IxZvEDheT+RXMY=

olHXuSH5IhTlyG2+4eqegIHgOdIT

Q/uVg4ohrg/9OWFw3Q==

aBO8x7J3dWn+II2S

EjbbhWQhxC8anI2S/A6AZOg9+Yg=

lTvUh92KkWP+II2S

TfVmQqmBEolx+fUBWVNRSpE=

0vmTe4M1hgTFM0JSdsalDA==

D71XP7Jgh2n+II2S

nUm9ckLAYgrAuEeHiRip

ydaYj4t69FRi

7Q8C6UQdwRvtzmvCxibPkZk=

h6pPBXNbBWf0F8kkS2O9

Ar4+8DXap551

cDTwn1zrjDXt24jUXOo=

i8aXpBvxfeTKrVGq0t52ewdYFpAE

sVXTwsIvECMLSw==

HsqAPzirUra6xEaHiRip

dS+6rIw/418rOWFw3Q==

x3PzsSfLQOGNEk0=

q0fAoY9VWzwhOWFw3Q==

oUG7l3MqzU4tOPc9dsalDA==

LNtKJpFKbV/+II2S

eaaZgnbdf/u+IGKYC5H9d4cUJj+RXMY=

6RXeydCfsqaDbNbiPtayf5MxPxKlasuAPVLW/dbf

8hcB69m9zrJ1RgREdsalDA==

lzS7rhb4me+9ly50pL5mXug9+Yg=

o7idfFcHlADLMnDI8JFbwUxffSjyhaCWHg==

BsWDNH0xXFoqFMwUkRt5yY/gOdIT

r2LvsYH30+rPWmhw2GA9GSazcD+RXMY=

OuPBsKWJnpdtQv9CdsalDA==

D9CRbNppjHT+II2S

u13ev8xsVYVvyAJObFNRSpE=

r2kpDHoaJRTyzkaHiRip

xWPz18E2CEAJXA==

woFGOiy5Ws131dAXLl6+

2ZBHMDL0AvLo8LTtV2Df0iqyayv5haCWHg==

DM18X96Zu5VzSPWHiRip

ol0oGYguUTAC4EaHiRip

QGcnA3YyYFIZzj2HiRip

zHFDNMJezINzi0U=

WfiBakACC/jHwmex3qUPg5k=

qFcPC49V7FlIyfw8s08gPg8t

eiKigd+pOeGNEk0=

LdhiIQ2lSr6d8yJslL11ZOg9+Yg=

Lz3xwKpL2E781ERQnlJlmifKcT+RXMY=

K9tlG/d/EoQ9mLwFK9CkHqxF0XvEkt8=

jj/57+KBEXlFQwhIdsalDA==

8qNgN40lKwjGpy1tex/OQA4l

galBLLlEfmwpC8QeguO+GIY=

rVcKwZ5tfnT+II2S

NmlecPKuO+GNEk0=

yuy1eFcXvjUFbJPwKbo7uMEWY83YqH92

sGXsnXofCEAJXA==

Of6xkIQSrx79OWFw3Q==

MUnbvkjO4dTLyWev6J3dR5OjzQ==

6xIC6bZmDIH+gmx53w==

u1nVuQ/D48+PCQqaveI=

xvfZsvWPubp8Wr9NdqRgVqZBUhOWQt5+

vVfx1M1nJJJsAc2BdsalDA==

MVlCVtiGpX557CVq1tCcR5OjzQ==

g5Q74KtneHI8IoyW6HPxeoHgOdIT

DaElHaQsJxDrz02HiRip

xnypcj.com

Targets

- Target
  
  ORDEN DE COMPRA 478483.exe
- Size
  
  750KB
- MD5
  
  79fb9230a90d7e59a735294f63d8b9d2
- SHA1
  
  7384bf68926a1e327534cd66b7ee66a1f4425444
- SHA256
  
  c0f393d8d25c7c604c4bdc76107fc8bef260afa53831e8160fac70e8e9111426
- SHA512
  
  217c3b6151796bd5f02ee7415bb07a2ad7851f3fbc54cdc69adfef07a95fab8d536b543afab3310d40a9812758cc2b80f79470faf513c48714065377c18ceb45
Score

10^/10

xloader 3qfc loader rat suricata formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloader3qfcloaderratsuricata

behavioral2

formbookxloader3qfcloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy