formbook | 433c021a1d11c7c05abf6b1a9a2efce350046636684e9db4ae95f8fac8882cfe | Triage

Submit
Reports

Overview

overview

Static

static

ORDEN DE C...83.exe

windows7_x64

ORDEN DE C...83.exe

windows10-2004_x64

Sharing

General

Target

21b5092ea2226ab3d6d5f41dc46c03bf
Size

826KB
Sample

220707-f88hmagac2
MD5

21b5092ea2226ab3d6d5f41dc46c03bf
SHA1

61c804208e8f9104ab58270f6b2c276e4c3e5605
SHA256

433c021a1d11c7c05abf6b1a9a2efce350046636684e9db4ae95f8fac8882cfe
SHA512

3890e0a1cfc60cf45ee52f5bc3d6b3c5fc789e7c1d608d615502ede5521a8d739f6ed50e734631a3a993cb87be1b79b2159bb7c048fbbb9d0f95f6925d0617e8

Score

10^/10

formbook xloader 3qfc loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

ORDEN DE COMPRA 478483.exe

Resource

win7-20220414-en

formbook xloader 3qfc loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ORDEN DE COMPRA 478483.exe

Resource

win10v2004-20220414-en

xloader 3qfc loader persistence rat spyware stealer suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

3qfc

Decoy

8ZNHCqHC6crNVA==

AiX30yGSn4lTRru48IxZvEDheT+RXMY=

olHXuSH5IhTlyG2+4eqegIHgOdIT

Q/uVg4ohrg/9OWFw3Q==

aBO8x7J3dWn+II2S

EjbbhWQhxC8anI2S/A6AZOg9+Yg=

lTvUh92KkWP+II2S

TfVmQqmBEolx+fUBWVNRSpE=

0vmTe4M1hgTFM0JSdsalDA==

D71XP7Jgh2n+II2S

nUm9ckLAYgrAuEeHiRip

ydaYj4t69FRi

7Q8C6UQdwRvtzmvCxibPkZk=

h6pPBXNbBWf0F8kkS2O9

Ar4+8DXap551

cDTwn1zrjDXt24jUXOo=

i8aXpBvxfeTKrVGq0t52ewdYFpAE

sVXTwsIvECMLSw==

HsqAPzirUra6xEaHiRip

dS+6rIw/418rOWFw3Q==

x3PzsSfLQOGNEk0=

q0fAoY9VWzwhOWFw3Q==

oUG7l3MqzU4tOPc9dsalDA==

LNtKJpFKbV/+II2S

eaaZgnbdf/u+IGKYC5H9d4cUJj+RXMY=

6RXeydCfsqaDbNbiPtayf5MxPxKlasuAPVLW/dbf

8hcB69m9zrJ1RgREdsalDA==

lzS7rhb4me+9ly50pL5mXug9+Yg=

o7idfFcHlADLMnDI8JFbwUxffSjyhaCWHg==

BsWDNH0xXFoqFMwUkRt5yY/gOdIT

r2LvsYH30+rPWmhw2GA9GSazcD+RXMY=

OuPBsKWJnpdtQv9CdsalDA==

D9CRbNppjHT+II2S

u13ev8xsVYVvyAJObFNRSpE=

r2kpDHoaJRTyzkaHiRip

xWPz18E2CEAJXA==

woFGOiy5Ws131dAXLl6+

2ZBHMDL0AvLo8LTtV2Df0iqyayv5haCWHg==

DM18X96Zu5VzSPWHiRip

ol0oGYguUTAC4EaHiRip

QGcnA3YyYFIZzj2HiRip

zHFDNMJezINzi0U=

WfiBakACC/jHwmex3qUPg5k=

qFcPC49V7FlIyfw8s08gPg8t

eiKigd+pOeGNEk0=

LdhiIQ2lSr6d8yJslL11ZOg9+Yg=

Lz3xwKpL2E781ERQnlJlmifKcT+RXMY=

K9tlG/d/EoQ9mLwFK9CkHqxF0XvEkt8=

jj/57+KBEXlFQwhIdsalDA==

8qNgN40lKwjGpy1tex/OQA4l

galBLLlEfmwpC8QeguO+GIY=

rVcKwZ5tfnT+II2S

NmlecPKuO+GNEk0=

yuy1eFcXvjUFbJPwKbo7uMEWY83YqH92

sGXsnXofCEAJXA==

Of6xkIQSrx79OWFw3Q==

MUnbvkjO4dTLyWev6J3dR5OjzQ==

6xIC6bZmDIH+gmx53w==

u1nVuQ/D48+PCQqaveI=

xvfZsvWPubp8Wr9NdqRgVqZBUhOWQt5+

vVfx1M1nJJJsAc2BdsalDA==

MVlCVtiGpX557CVq1tCcR5OjzQ==

g5Q74KtneHI8IoyW6HPxeoHgOdIT

DaElHaQsJxDrz02HiRip

xnypcj.com

Targets

- Target
  
  ORDEN DE COMPRA 478483.exe
- Size
  
  750KB
- MD5
  
  79fb9230a90d7e59a735294f63d8b9d2
- SHA1
  
  7384bf68926a1e327534cd66b7ee66a1f4425444
- SHA256
  
  c0f393d8d25c7c604c4bdc76107fc8bef260afa53831e8160fac70e8e9111426
- SHA512
  
  217c3b6151796bd5f02ee7415bb07a2ad7851f3fbc54cdc69adfef07a95fab8d536b543afab3310d40a9812758cc2b80f79470faf513c48714065377c18ceb45
Score

10^/10

formbook xloader 3qfc loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloader3qfcloaderpersistenceratspywarestealersuricatatrojan

behavioral2

xloader3qfcloaderpersistenceratspywarestealersuricata

© 2018-2024

Terms | Privacy