formbook | 535fb5862370192d9fa74321ef99aa8fe36aaf56689f48411fc7c14b9c984533 | Triage

Submit
Reports

Overview

overview

Static

static

SOA.exe

windows7_x64

SOA.exe

windows10-2004_x64

Sharing

General

Target

SOA.exe
Size

952KB
Sample

220707-kjwjzsbcg5
MD5

d214a74543e7e29a6702358a3a834f70
SHA1

7fd6aa9cf895309fca426c6decff54e17f979a8c
SHA256

535fb5862370192d9fa74321ef99aa8fe36aaf56689f48411fc7c14b9c984533
SHA512

b4e5fad9f7ecf61c29d2c7f960f6dcb6d8977720eebb61014aff45c71d95112525a55ee84cde93ab7bbd689a00f4a2f21d3f2306e97a7e836c69cf14c2512fc7

Score

10^/10

formbook xloader nmd2 loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

SOA.exe

Resource

win7-20220414-en

xloader nmd2 loader persistence rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SOA.exe

Resource

win10v2004-20220414-en

formbook xloader nmd2 loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

nmd2

Decoy

FNWENUOMqqSv0Q==

ls6DEbQ1KBCeSsvUyRg=

mwgrjwpFplaykGoT

Uzzj8yXi13iLMnNGZcnViQliwA==

T7vzj0l0lqquyA==

csHzBjwvF7rmjcmWxjThd61NuuVl4gQ=

YaXyTwg3p1vrf/n9kYJQjrc=

cHAfFEI1JKDF4mTsGjDbeg==

TdDv+o9VSFep3wgTtY0swqQ=

Jw66vdyXdRZG9jJZycLD

icGvsuKZgXNid1M=

6m6H0GvguY+vZZpcioudbQ==

kNUBYMuymhgm2b0q3bEAiQliwA==

M3SiAXRbVe0XAsxDOIp6cg==

+eWLk+HjRRe3LuyavQ==

753R3QYD8XOWtWI0ouGpYw==

dRg+bQZ6TSbC8Sbs2mXXxLM=

kDlUsE+U7Y/RfUQ=

oENlcFZVqqSv0Q==

HCC+nbachxEs1f29GjDbeg==

ctsJlTxo3LFbK0RZycLD

VAV965YJquX+b2gE

wUpcvG0A0kxkhA6dsxec/Ufb

+Kzh3Pz/WTFKLuyavQ==

5IBvVoiTqqSv0Q==

qhS7ELozBsxWGdGNLWXXxLM=

sIdm8Gid7Y/RfUQ=

o9jFl8KnrZEe2UrO2mXXxLM=

eecJaOIceBS8YCLfz2XXxLM=

wvauO+RYyniHRncupG0Ten2V2PDf

meDvRhWM7I/RfUQ=

LlL2kO+2mQQBt6Mbi3M85yXR

/5hqNCjixE1T+DRZycLD

mghXL0b5y1BTAeKFZgcVnbs=

vpRLqCgVpBo+

MhWVgapZL/AkxgTV9WAniQliwA==

G1w14UrRoHGpQ2UVK4BOy+cryA==

Xfjtvd7Rx2B9KWsoP7tp2dGrHmR49g==

YV3YuM5Fbwwp

6l5Yu2CUBLdfCsCe1E47UUFRqOVl4gQ=

zvsbe+zuUwGeQ8vUyRg=

1cI0GBeUfY/RfUQ=

nWgfnkDEUGOJLuyavQ==

0bosGEv++89jmJdZycLD

k55xymOPqqSv0Q==

9Vo/hSEVpBo+

Goh71Ec2I5igPHhLh/mfMmK1d4RK4BA=

ejin8nSfnQonPPibLWXXxLM=

yQUskS2vGpw=

YCbKnMOAcS5Y+zBZycLD

UsS4CoF4lqquyA==

FpSWpcVFbwwp

vFSrpMeaqqSv0Q==

tFR01kVKp0L6IRiD9c7Of5Gus1L3/g==

yr44IihjQHNid1M=

2VRJm0F25df4EZY9bdXViQliwA==

jm/jvLpEJfmbUfbOAH5IaYmZTuVl4gQ=

iYId/jAYAao9W1Oz20NHfcakEBY=

tiUNWfcurI6YSYQ5U7m4ysDQLVBMgdA6iw==

ZeixX31Fbwwp

7FBmslXBOQwbzrIwoXNBiQliwA==

VVr3w7qAY8/hAH5hZsDU

vDlm1IsR5KjVf276e18NPWGBTOVl4gQ=

IxGhEq722C9Yfbn6GjDbeg==

gelasbeauty.com

Targets

- Target
  
  SOA.exe
- Size
  
  952KB
- MD5
  
  d214a74543e7e29a6702358a3a834f70
- SHA1
  
  7fd6aa9cf895309fca426c6decff54e17f979a8c
- SHA256
  
  535fb5862370192d9fa74321ef99aa8fe36aaf56689f48411fc7c14b9c984533
- SHA512
  
  b4e5fad9f7ecf61c29d2c7f960f6dcb6d8977720eebb61014aff45c71d95112525a55ee84cde93ab7bbd689a00f4a2f21d3f2306e97a7e836c69cf14c2512fc7
Score

10^/10

xloader nmd2 loader persistence rat suricata formbook spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadernmd2loaderpersistenceratsuricata

behavioral2

formbookxloadernmd2loaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy