formbook | cef18ff96d859568d9f54431c4d174a3c99685855ea86927ceb3849c9c4aa3a9 | Triage

Submit
Reports

Overview

overview

Static

static

1

New Order.exe

windows7_x64

New Order.exe

windows10-2004_x64

Sharing

General

Target

753bcec81b68d95f0866670270587e29
Size

804KB
Sample

220707-f8gd5sfhg6
MD5

753bcec81b68d95f0866670270587e29
SHA1

a50f381e3ddb2ba40fffffe2723f48aa9c3e43b3
SHA256

cef18ff96d859568d9f54431c4d174a3c99685855ea86927ceb3849c9c4aa3a9
SHA512

88304eb0797f7c9ef15671375270fdb4ac975bb893bcf4a1566344aa583efe66bc2ff35fdd5f67386e466cac2878c59a850e5832b50a942648987756b8d59233

Score

10^/10

formbook xloader nmd2 loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

New Order.exe

Resource

win7-20220414-en

formbook xloader nmd2 loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

New Order.exe

Resource

win10v2004-20220414-en

xloader nmd2 loader rat suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

nmd2

Decoy

FNWENUOMqqSv0Q==

ls6DEbQ1KBCeSsvUyRg=

mwgrjwpFplaykGoT

Uzzj8yXi13iLMnNGZcnViQliwA==

T7vzj0l0lqquyA==

csHzBjwvF7rmjcmWxjThd61NuuVl4gQ=

YaXyTwg3p1vrf/n9kYJQjrc=

cHAfFEI1JKDF4mTsGjDbeg==

TdDv+o9VSFep3wgTtY0swqQ=

Jw66vdyXdRZG9jJZycLD

icGvsuKZgXNid1M=

6m6H0GvguY+vZZpcioudbQ==

kNUBYMuymhgm2b0q3bEAiQliwA==

M3SiAXRbVe0XAsxDOIp6cg==

+eWLk+HjRRe3LuyavQ==

753R3QYD8XOWtWI0ouGpYw==

dRg+bQZ6TSbC8Sbs2mXXxLM=

kDlUsE+U7Y/RfUQ=

oENlcFZVqqSv0Q==

HCC+nbachxEs1f29GjDbeg==

ctsJlTxo3LFbK0RZycLD

VAV965YJquX+b2gE

wUpcvG0A0kxkhA6dsxec/Ufb

+Kzh3Pz/WTFKLuyavQ==

5IBvVoiTqqSv0Q==

qhS7ELozBsxWGdGNLWXXxLM=

sIdm8Gid7Y/RfUQ=

o9jFl8KnrZEe2UrO2mXXxLM=

eecJaOIceBS8YCLfz2XXxLM=

wvauO+RYyniHRncupG0Ten2V2PDf

meDvRhWM7I/RfUQ=

LlL2kO+2mQQBt6Mbi3M85yXR

/5hqNCjixE1T+DRZycLD

mghXL0b5y1BTAeKFZgcVnbs=

vpRLqCgVpBo+

MhWVgapZL/AkxgTV9WAniQliwA==

G1w14UrRoHGpQ2UVK4BOy+cryA==

Xfjtvd7Rx2B9KWsoP7tp2dGrHmR49g==

YV3YuM5Fbwwp

6l5Yu2CUBLdfCsCe1E47UUFRqOVl4gQ=

zvsbe+zuUwGeQ8vUyRg=

1cI0GBeUfY/RfUQ=

nWgfnkDEUGOJLuyavQ==

0bosGEv++89jmJdZycLD

k55xymOPqqSv0Q==

9Vo/hSEVpBo+

Goh71Ec2I5igPHhLh/mfMmK1d4RK4BA=

ejin8nSfnQonPPibLWXXxLM=

yQUskS2vGpw=

YCbKnMOAcS5Y+zBZycLD

UsS4CoF4lqquyA==

FpSWpcVFbwwp

vFSrpMeaqqSv0Q==

tFR01kVKp0L6IRiD9c7Of5Gus1L3/g==

yr44IihjQHNid1M=

2VRJm0F25df4EZY9bdXViQliwA==

jm/jvLpEJfmbUfbOAH5IaYmZTuVl4gQ=

iYId/jAYAao9W1Oz20NHfcakEBY=

tiUNWfcurI6YSYQ5U7m4ysDQLVBMgdA6iw==

ZeixX31Fbwwp

7FBmslXBOQwbzrIwoXNBiQliwA==

VVr3w7qAY8/hAH5hZsDU

vDlm1IsR5KjVf276e18NPWGBTOVl4gQ=

IxGhEq722C9Yfbn6GjDbeg==

gelasbeauty.com

Targets

- Target
  
  New Order.exe
- Size
  
  540KB
- MD5
  
  3e1c3ccd576afbb899714b3985451a62
- SHA1
  
  b5e8b705c021abbe2035b2d50fbbd13a38d0eaf0
- SHA256
  
  901b8ec8346c9ec07fb34f17b2eb18f45d6197b0cbb1d7bad6b1cf23ff0cbab1
- SHA512
  
  85b7166b27b2ea70377a95e838e75dd474fe4041776fdc654ce8984775b9ea1a33a487b74843a7e5cc612889b1751fe342019e7a764d5022fbd899b72bc16ddd
Score

10^/10

formbook xloader nmd2 loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloadernmd2loaderpersistenceratspywarestealersuricatatrojan

behavioral2

xloadernmd2loaderratsuricata

© 2018-2024

Terms | Privacy