formbook

General

Target

SecuriteInfo.com.Trojan.DownloaderNET.345.16795.20736.exe
Size

235KB
Sample

220830-1ea1gsccd4
MD5

761e6293c71c28887b2f49ebcf3bc501
SHA1

f75107f916dbcf1dfa582081096ac49df75248c2
SHA256

112c01d48613316c5620071a1d3900e798d7421445b1a5174b2a56c228c5c3c2
SHA512

e56f8fafe7619484dbd02f1f6f6210ac0c1d501fe39b8b76c62cad7d05685127f7309a994b4e950442db8fe001a00f5373e5e1f2b998b8057da8f6c3d0ae3da7
SSDEEP

6144:dF4FRne9XGXFby3fgJJF3OmSOlvr018/pUa5Mc:/4veVGVmYJ/3HF1Ua5Mc

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

zgtb

Decoy

gabriellep.com

honghe4.xyz

anisaofrendas.com

happy-tile.com

thesulkies.com

international-ipo.com

tazeco.info

hhhzzz.xyz

vrmonster.xyz

theearthresidencia.com

sportape.xyz

elshadaibaterias.com

koredeiihibi.com

taxtaa.com

globalcityb.com

fxivcama.com

dagsmith.com

elmar-bhp.com

peakice.net

jhcdjewelry.com

Targets

- Target
  
  SecuriteInfo.com.Trojan.DownloaderNET.345.16795.20736.exe
- Size
  
  235KB
- MD5
  
  761e6293c71c28887b2f49ebcf3bc501
- SHA1
  
  f75107f916dbcf1dfa582081096ac49df75248c2
- SHA256
  
  112c01d48613316c5620071a1d3900e798d7421445b1a5174b2a56c228c5c3c2
- SHA512
  
  e56f8fafe7619484dbd02f1f6f6210ac0c1d501fe39b8b76c62cad7d05685127f7309a994b4e950442db8fe001a00f5373e5e1f2b998b8057da8f6c3d0ae3da7
- SSDEEP
  
  6144:dF4FRne9XGXFby3fgJJF3OmSOlvr018/pUa5Mc:/4veVGVmYJ/3HF1Ua5Mc
Score

10^/10

formbook xloader zgtb loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

Xloader payload

Adds policy Run key to start application

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2