formbook | eb7d6d108c4b7e0a5b92727310d4d7fbeeb5b7d1db42277b88e209c2465b2b9a | Triage

Submit
Reports

Overview

overview

Static

static

XLYQSINv1hOt3N4.exe

windows7-x64

XLYQSINv1hOt3N4.exe

windows10-2004-x64

Sharing

General

Target

XLYQSINv1hOt3N4.exe
Size

1.2MB
Sample

220719-nhpxlabgc6
MD5

1c81b3eb8da296cefba9d12af0673079
SHA1

bb408ca2fc342cc10f40343e7d58d1d3262427bc
SHA256

eb7d6d108c4b7e0a5b92727310d4d7fbeeb5b7d1db42277b88e209c2465b2b9a
SHA512

07a85e9a527a5628d397df78660207953e6bbeb78a38e3572af35bcf5ed02d1985140e460d7b81c50a7fc712d2d1b754651d9d586b1cb5d6b0e9616c9b9ef0dc

Score

10^/10

formbook xloader zzun loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

XLYQSINv1hOt3N4.exe

Resource

win7-20220715-en

formbook xloader zzun loader persistence rat spyware stealer suricata trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

XLYQSINv1hOt3N4.exe

Resource

win10v2004-20220718-en

xloader zzun loader persistence rat spyware stealer suricata

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

zzun

Decoy

JnNtRHyNupy0GqRzAcasu7hb4rc=

Qv593NGLE7p9UNSaVkPXljAJm2QCNnc=

ePArIFWvjkkMgVEVhw4M4Jk=

26rqUwJ7dD0AiDI=

pBAxMHeK741QFw==

kHD7TPt5846pUMTX

56UnjFjHL1i0j659h3LymRnHpQj+SshC

4vKlKHflPqmWXRbrRwfPtrhb4rc=

6LBd4qButFAi

phMzGll8Ue7Fu+inq5cdnPaSugG3

NKswiQGCvZoG5FgsdHEI

rtTHnuUY8M1qVcXV

SOmECrlAt2oGAA==

L1ep9adutFAi

/UE+/AyvE6uEl28weFI=

IP+xMPQxJR4NE6TK

xvW5GN9/rqA5YUoOVt185Sf7Uw==

fRFNW9DhxL6VF7LA

KFYTfkaY741QFw==

W4JGvMBmt2oGAA==

lnoad0Hkgrwl9uXlghvqdz33UA==

1msShiu+9wisELGDjYAK

FBXFOinAK8ylnMZzi35Okw==

V8Y7/cBnt2oGAA==

VfuI0k5pSmi6+aNjIlAT2mspCZBZLGA=

de74yg89D61bSiU=

V2UPjYUvwh21qdxUr4Mf

DcFXvTxFMlyfL5JJIU0=

GldbH/CCt2oGAA==

sxdEIBwn+o+pUMTX

UmViK+1/Knr8814sdHEI

jrfKoZ6paLyeEBETgw4M4Jk=

SR27MizpGwCa19Kb1A==

2DGo9XUNxBOe19Kb1A==

7tBn2cG8jasWHE7w559Aig==

8qtAoVHxl/KGerbsfA4M4Jk=

fC3AH6Utt2oGAA==

HltlPHZ7FpSpUMTX

xd0B+Pr30gBfQGYXafOW1dOSflv+SshC

DKXWyiOecY7319Kb1A==

Pvx505EaswiHYF3z559Aig==

aJ6kaz7CWKsP9g9Ur4Mf

qcvfxb9TwUoDCrfXw/uTdSkTCJBZLGA=

I++iH8xJxFp73nyUjJOg3/PS/3W7

K1N1guwbLz0AiDI=

vp2SfavTmBXNzLeXmIoUhsB7

UlAVhgIfLT0AiDI=

6BKH5GjHt2YIo/qhA69S+5E=

6U29K+qVw5hT4gQ83A==

G9NTmhwpAwY6r4I69kT4dz33UA==

0qstoaNBmBrMlfwTKhrAtLhb4rc=

ZvMhGW52cyAAXkVV3Jc96Lhb4rc=

N9Z3/PmEt2oGAA==

ohlOhcaP741QFw==

9WF3PohVjEolhCY=

am0ek4wtmkEI9GMVhw4M4Jk=

ROotH4+jhp7vnzVdww==

uvkuFhGmJlyjpFFpi35Okw==

ICHQQTIjaxTryG8weFI=

AhIZ8uh974+pUMTX

pEBtSFHr/5s0GQ==

qAcuLnqLNeOpUMTX

bcHv6WdbHoWEylgsdHEI

Nz/rbWh3s4WFDL9uPlAhXKNz

secure-id6793-chase.com

Targets

- Target
  
  XLYQSINv1hOt3N4.exe
- Size
  
  1.2MB
- MD5
  
  1c81b3eb8da296cefba9d12af0673079
- SHA1
  
  bb408ca2fc342cc10f40343e7d58d1d3262427bc
- SHA256
  
  eb7d6d108c4b7e0a5b92727310d4d7fbeeb5b7d1db42277b88e209c2465b2b9a
- SHA512
  
  07a85e9a527a5628d397df78660207953e6bbeb78a38e3572af35bcf5ed02d1985140e460d7b81c50a7fc712d2d1b754651d9d586b1cb5d6b0e9616c9b9ef0dc
Score

10^/10

formbook xloader zzun loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderzzunloaderpersistenceratspywarestealersuricatatrojan

behavioral2

xloaderzzunloaderpersistenceratspywarestealersuricata

© 2018-2024

Terms | Privacy