formbook | 0937b647422cc2dbb161dfb308bfd1601950cb99c1a87434a1b940d3a1483f57 | Triage

Submit
Reports

Overview

overview

Static

static

INV.00174439.js

windows7_x64

INV.00174439.js

windows10-2004_x64

Sharing

General

Target

INV.00174439.js
Size

340KB
Sample

220707-g6l3aaedgn
MD5

b35b0fff8b166a500cb785c6b823ad46
SHA1

a585854028426f8f48d2e654790ef33abf8f1251
SHA256

0937b647422cc2dbb161dfb308bfd1601950cb99c1a87434a1b940d3a1483f57
SHA512

414640fd2d1f0dc6ecafa71e33816351988ff432148836f0df9332744cacca25081ce615edbff8405114b94371b462fe9f7eacdc94120b3b5e01c1d813ad09aa

Score

10^/10

formbook xloader vs8g loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

INV.00174439.js

Resource

win7-20220414-en

formbook xloader vs8g loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

INV.00174439.js

Resource

win10v2004-20220414-en

formbook xloader vs8g loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

vs8g

Decoy

xEVEsySadSMf8UUC

H8ZbYtGKWPCfp91+uS3TFo/F7tYacwDqHw==

L/St5UjIhTMzEHsb

8h8tDvq0nl8JCWoagxa0MVyvnA==

7bml44z9jZsZx8Co2T8=

EwH88ZtcOu8ehs2P2o6wv78FEe4+xRQ=

bTn3LpE1HfpPAXI=

nYxT+9GLhS1d3zzGJuTDlgpT

HxonIwh8TesenMCo2T8=

Ki83MiehhC9e1i7YQ/Wd32JsGcun

wHcUByFRMuEGh8Co2T8=

86tqpg/Jy60eFmMRPefDlgpT

grSUYa5yahUf8UUC

HVviVsk7Cb6Elc571pnSWCJ93G17PkiI

6LJ1qBPUtGNIl8Co2T8=

AYuWD33xt44VxsCo2T8=

/smXvLMh868VzQqs99/DlgpT

1kEMNVtaMw6KmN+YANYm+kA=

daarti3nbFVKnsCo2T8=

0EJM6cFFHvawA2U=

WZmLjeanlDoDRmMJeRfM

CAnpqoPMmEdBmsCo2T8=

S7NRSknz2IDxrfexzMWcXg==

hbhFvI9GHbYe6lDkMNYm+kA=

ZDYJSK5aKMqTmgGwC9pyCcxc

WBqkiYw6Cq0R1EEHeRbNVMfUWPW+

nDdqqAaRcAQ=

lsLX1cM9FrbMFXIZc/m0MVyvnA==

YceJrx3/7aDcctOaFZQygvVPcl0=

S7Byvh2dXnV5TF0kfw==

zaBZEvt6+etgHQ==

zwcVn349GMs38kfqNPO/MVyvnA==

wi/0NwnAbRwf8UUC

8vYWUbleFPawA2U=

lllK3cr5kDsC

QwHKGfaybiUf8UUC

gGk69u/TalUKIoyTx6PE

6lstUki4iTx4TF0kfw==

1hwVGQl6+etgHQ==

55QxLhZ++etgHQ==

XpUZkHZSGPpPAXI=

b/rRDHMmDMn8lQu9I93DlgpT

grW5q74PiWDh3b3TzoJzZd9Z

HctUSLGkTy0gaK06mjc=

742P/3XnqmZMnMCo2T8=

SwOlZ8q6chM=

XMtX4gaRcAQ=

gqO80CPQo05EmsCo2T8=

jDfY4dVROPVVTF0kfw==

HBcQ9d1lQvL/PYEEPefDlgpT

1FkgSrtsNNTKIJuTx6PE

KKNX0Knpqz0V

JNPadlPYyGVkscCo2T8=

+a2vJgnRyHi2SZJOyJlQn07X7s0acwDqHw==

IE9RTrmihShQ4jrezMWcXg==

+FPcOAZW3vawA2U=

XSH8PZEHwmk2Tp+Tx6PE

0odKiwftyW2aAUnfM9WPZ/RK

Ih8VBfKimjFn/24iVgcM8/VPcl0=

JYeAApzpqz0V

mQGklYL+yXHRpCHTLtYm+kA=

aduCh9uUg2zu60oK

1QcE/VwM0bhnrwCbzzw=

6NujcFnPuV5MnMCo2T8=

madeinfrance.plus

Targets

- Target
  
  INV.00174439.js
- Size
  
  340KB
- MD5
  
  b35b0fff8b166a500cb785c6b823ad46
- SHA1
  
  a585854028426f8f48d2e654790ef33abf8f1251
- SHA256
  
  0937b647422cc2dbb161dfb308bfd1601950cb99c1a87434a1b940d3a1483f57
- SHA512
  
  414640fd2d1f0dc6ecafa71e33816351988ff432148836f0df9332744cacca25081ce615edbff8405114b94371b462fe9f7eacdc94120b3b5e01c1d813ad09aa
Score

10^/10

formbook xloader vs8g loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloadervs8gloaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloadervs8gloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy