formbook | cc57daf94d2c4f0df02f52776881ca4ca73c5175484bc3b63ab7c661a6625878 | Triage

Submit
Reports

Overview

overview

Static

static

VQC612aN8kkRJe9.exe

windows7-x64

VQC612aN8kkRJe9.exe

windows10-2004-x64

Sharing

General

Target

VQC612aN8kkRJe9.zip
Size

473KB
Sample

220723-kmmfgsdcc9
MD5

deda18bc7a9bbfe10fda60e06a1f2766
SHA1

0f0fd001e47f399fc5dd91573731fbdf7e92a145
SHA256

cc57daf94d2c4f0df02f52776881ca4ca73c5175484bc3b63ab7c661a6625878
SHA512

e0fcf267bbade98b2146c360f744978a6b91759e850f56f52171c32c76a236a0e9f7fa8a7e3dba5ad268cf6cec35448c0dda6f3b7e812297964d688d462dcfd5

Score

10^/10

formbook xloader zzun loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

VQC612aN8kkRJe9.exe

Resource

win7-20220718-en

xloader zzun loader rat suricata

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

VQC612aN8kkRJe9.exe

Resource

win10v2004-20220721-en

formbook xloader zzun loader persistence rat spyware stealer suricata trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

zzun

Decoy

JnNtRHyNupy0GqRzAcasu7hb4rc=

Qv593NGLE7p9UNSaVkPXljAJm2QCNnc=

ePArIFWvjkkMgVEVhw4M4Jk=

26rqUwJ7dD0AiDI=

pBAxMHeK741QFw==

kHD7TPt5846pUMTX

56UnjFjHL1i0j659h3LymRnHpQj+SshC

4vKlKHflPqmWXRbrRwfPtrhb4rc=

6LBd4qButFAi

phMzGll8Ue7Fu+inq5cdnPaSugG3

NKswiQGCvZoG5FgsdHEI

rtTHnuUY8M1qVcXV

SOmECrlAt2oGAA==

L1ep9adutFAi

/UE+/AyvE6uEl28weFI=

IP+xMPQxJR4NE6TK

xvW5GN9/rqA5YUoOVt185Sf7Uw==

fRFNW9DhxL6VF7LA

KFYTfkaY741QFw==

W4JGvMBmt2oGAA==

lnoad0Hkgrwl9uXlghvqdz33UA==

1msShiu+9wisELGDjYAK

FBXFOinAK8ylnMZzi35Okw==

V8Y7/cBnt2oGAA==

VfuI0k5pSmi6+aNjIlAT2mspCZBZLGA=

de74yg89D61bSiU=

V2UPjYUvwh21qdxUr4Mf

DcFXvTxFMlyfL5JJIU0=

GldbH/CCt2oGAA==

sxdEIBwn+o+pUMTX

UmViK+1/Knr8814sdHEI

jrfKoZ6paLyeEBETgw4M4Jk=

SR27MizpGwCa19Kb1A==

2DGo9XUNxBOe19Kb1A==

7tBn2cG8jasWHE7w559Aig==

8qtAoVHxl/KGerbsfA4M4Jk=

fC3AH6Utt2oGAA==

HltlPHZ7FpSpUMTX

xd0B+Pr30gBfQGYXafOW1dOSflv+SshC

DKXWyiOecY7319Kb1A==

Pvx505EaswiHYF3z559Aig==

aJ6kaz7CWKsP9g9Ur4Mf

qcvfxb9TwUoDCrfXw/uTdSkTCJBZLGA=

I++iH8xJxFp73nyUjJOg3/PS/3W7

K1N1guwbLz0AiDI=

vp2SfavTmBXNzLeXmIoUhsB7

UlAVhgIfLT0AiDI=

6BKH5GjHt2YIo/qhA69S+5E=

6U29K+qVw5hT4gQ83A==

G9NTmhwpAwY6r4I69kT4dz33UA==

0qstoaNBmBrMlfwTKhrAtLhb4rc=

ZvMhGW52cyAAXkVV3Jc96Lhb4rc=

N9Z3/PmEt2oGAA==

ohlOhcaP741QFw==

9WF3PohVjEolhCY=

am0ek4wtmkEI9GMVhw4M4Jk=

ROotH4+jhp7vnzVdww==

uvkuFhGmJlyjpFFpi35Okw==

ICHQQTIjaxTryG8weFI=

AhIZ8uh974+pUMTX

pEBtSFHr/5s0GQ==

qAcuLnqLNeOpUMTX

bcHv6WdbHoWEylgsdHEI

Nz/rbWh3s4WFDL9uPlAhXKNz

secure-id6793-chase.com

Targets

- Target
  
  VQC612aN8kkRJe9.exe
- Size
  
  578KB
- MD5
  
  2424734321f03e8048202f10ba707c29
- SHA1
  
  e085ae7d3b35f036ebf49076869203a29d9db3c0
- SHA256
  
  72fd8d816c54cacc80a7364d61fccfb6f4c2b9a88ed0cb9296e038b615731cfb
- SHA512
  
  1208d8b231775575cfc360a16fe0d93bbe888253377ac350091d249b9041272f66bd32476c2db9931e4bd34e238a1bc656ad03fffc0480a1cb365ebd705a5b7d
Score

10^/10

xloader zzun loader rat suricata formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderzzunloaderratsuricata

behavioral2

formbookxloaderzzunloaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy