formbook | 3e4f71deec4d7f09a2b1d3d842f333c1a5b74b01586de7d4373c1b471268844f | Triage

Submit
Reports

Overview

overview

Static

static

1

PO_200251-269312.js

windows7_x64

PO_200251-269312.js

windows10-2004_x64

Sharing

General

Target

1dab5c7ec0a9c66dee60aeee6a8af64c
Size

502KB
Sample

220715-hnwpfahdg4
MD5

1dab5c7ec0a9c66dee60aeee6a8af64c
SHA1

a460574e73ed703755d83999ca019f7d600ac0f1
SHA256

3e4f71deec4d7f09a2b1d3d842f333c1a5b74b01586de7d4373c1b471268844f
SHA512

08bdc1cf7bbe14acd2d3b6824c605e532b85dfa5526025a04248e3b7d80e597da701c442df050b280b2ab883bb8226eaab58905d5e2b06450b833d935774a624

Score

10^/10

formbook xloader vs8g loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO_200251-269312.js

Resource

win7-20220414-en

xloader vs8g loader persistence rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO_200251-269312.js

Resource

win10v2004-20220414-en

formbook xloader vs8g loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

vs8g

Decoy

xEVEsySadSMf8UUC

H8ZbYtGKWPCfp91+uS3TFo/F7tYacwDqHw==

L/St5UjIhTMzEHsb

8h8tDvq0nl8JCWoagxa0MVyvnA==

7bml44z9jZsZx8Co2T8=

EwH88ZtcOu8ehs2P2o6wv78FEe4+xRQ=

bTn3LpE1HfpPAXI=

nYxT+9GLhS1d3zzGJuTDlgpT

HxonIwh8TesenMCo2T8=

Ki83MiehhC9e1i7YQ/Wd32JsGcun

wHcUByFRMuEGh8Co2T8=

86tqpg/Jy60eFmMRPefDlgpT

grSUYa5yahUf8UUC

HVviVsk7Cb6Elc571pnSWCJ93G17PkiI

6LJ1qBPUtGNIl8Co2T8=

AYuWD33xt44VxsCo2T8=

/smXvLMh868VzQqs99/DlgpT

1kEMNVtaMw6KmN+YANYm+kA=

daarti3nbFVKnsCo2T8=

0EJM6cFFHvawA2U=

WZmLjeanlDoDRmMJeRfM

CAnpqoPMmEdBmsCo2T8=

S7NRSknz2IDxrfexzMWcXg==

hbhFvI9GHbYe6lDkMNYm+kA=

ZDYJSK5aKMqTmgGwC9pyCcxc

WBqkiYw6Cq0R1EEHeRbNVMfUWPW+

nDdqqAaRcAQ=

lsLX1cM9FrbMFXIZc/m0MVyvnA==

YceJrx3/7aDcctOaFZQygvVPcl0=

S7Byvh2dXnV5TF0kfw==

zaBZEvt6+etgHQ==

zwcVn349GMs38kfqNPO/MVyvnA==

wi/0NwnAbRwf8UUC

8vYWUbleFPawA2U=

lllK3cr5kDsC

QwHKGfaybiUf8UUC

gGk69u/TalUKIoyTx6PE

6lstUki4iTx4TF0kfw==

1hwVGQl6+etgHQ==

55QxLhZ++etgHQ==

XpUZkHZSGPpPAXI=

b/rRDHMmDMn8lQu9I93DlgpT

grW5q74PiWDh3b3TzoJzZd9Z

HctUSLGkTy0gaK06mjc=

742P/3XnqmZMnMCo2T8=

SwOlZ8q6chM=

XMtX4gaRcAQ=

gqO80CPQo05EmsCo2T8=

jDfY4dVROPVVTF0kfw==

HBcQ9d1lQvL/PYEEPefDlgpT

1FkgSrtsNNTKIJuTx6PE

KKNX0Knpqz0V

JNPadlPYyGVkscCo2T8=

+a2vJgnRyHi2SZJOyJlQn07X7s0acwDqHw==

IE9RTrmihShQ4jrezMWcXg==

+FPcOAZW3vawA2U=

XSH8PZEHwmk2Tp+Tx6PE

0odKiwftyW2aAUnfM9WPZ/RK

Ih8VBfKimjFn/24iVgcM8/VPcl0=

JYeAApzpqz0V

mQGklYL+yXHRpCHTLtYm+kA=

aduCh9uUg2zu60oK

1QcE/VwM0bhnrwCbzzw=

6NujcFnPuV5MnMCo2T8=

madeinfrance.plus

Targets

- Target
  
  PO_200251-269312.js
- Size
  
  363KB
- MD5
  
  44caad4df8dbf71425f53a4164300228
- SHA1
  
  bcbb189276805f815d92575e026ee95c59c2a772
- SHA256
  
  3580439625a85986a0a0428e95a2c22b246c509e340082c3c03e24abc997c9d5
- SHA512
  
  309ca938b4050518afe95b9b8c44c550ecfb6cdea5bea8d8ed7c42d302808bd78efb2ea0338f9f73442dde44ca0acb5702848b97f56183cde2e38516726f769c
Score

10^/10

xloader vs8g loader persistence rat suricata formbook spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadervs8gloaderpersistenceratsuricata

behavioral2

formbookxloadervs8gloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy