formbook | d24e3ddbed42b77cee50ff8a06e7414910d755cf2635eadf35b51091c8cba010 | Triage

Submit
Reports

Overview

overview

Static

static

9Vpz6YEQuRqDljF.exe

windows7_x64

9Vpz6YEQuRqDljF.exe

windows10_x64

Sharing

General

Target

9Vpz6YEQuRqDljF.exe
Size

664KB
Sample

220707-frc1dsffa8
MD5

ff73f2e9be581f3bbbaee6438a9ffa67
SHA1

6a77722a024580b6756120b1e0e358898557e129
SHA256

d24e3ddbed42b77cee50ff8a06e7414910d755cf2635eadf35b51091c8cba010
SHA512

b0b2c21cb7952d7b315671027c1af8ee46a684f42b50f50bac72787680290dc95f5ad9eb7451c0cec7fe4cc2b1f0ef22304a0beb877c8708f84515f952e8411f

Score

10^/10

formbook xloader loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

9Vpz6YEQuRqDljF.exe

Resource

win7-20220414-en

xloader loader persistence rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

9Vpz6YEQuRqDljF.exe

Resource

win10-20220414-en

formbook xloader loader persistence rat spyware stealer suricata trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  9Vpz6YEQuRqDljF.exe
- Size
  
  664KB
- MD5
  
  ff73f2e9be581f3bbbaee6438a9ffa67
- SHA1
  
  6a77722a024580b6756120b1e0e358898557e129
- SHA256
  
  d24e3ddbed42b77cee50ff8a06e7414910d755cf2635eadf35b51091c8cba010
- SHA512
  
  b0b2c21cb7952d7b315671027c1af8ee46a684f42b50f50bac72787680290dc95f5ad9eb7451c0cec7fe4cc2b1f0ef22304a0beb877c8708f84515f952e8411f
Score

10^/10

xloader loader persistence rat suricata formbook spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderloaderpersistenceratsuricata

behavioral2

formbookxloaderloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy