formbook | 492bfe8d2b1105ec4045f96913d38f98e30fe349ea50cc4aaa425ca289af2852 | Triage

Sharing

General

Target

492bfe8d2b1105ec4045f96913d38f98e30fe349ea50cc4aaa425ca289af2852
Size

967KB
Sample

220919-kxwrxadedq
MD5

37840d4e937db0385b820d4019071540
SHA1

a1f7670cd7da7e331db2d69f0855858985819873
SHA256

492bfe8d2b1105ec4045f96913d38f98e30fe349ea50cc4aaa425ca289af2852
SHA512

4a77875a5f9b9066ca6f88ad1ea7c259bb690e3b2c240a3de61081c01f06d87a1cae261b236c7a8b0c7261399a06e1ff3cbbdeb1ca1ee5b732350143eafb51a6
SSDEEP

12288:8HbINWvoTEQYJGl/iUfkcogKuqAJA+1z48qDo5ynuzFl2LUv0eMqnexYA1l/X:6b6ZeGBiAkcogKOi+1zSo5ynRxYA7/X

Score

10^/10

formbook modiloader xloader od65 loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

od65

Decoy

oMDl7+9m1JtQ+KJ//bSZYk7C

0nQRVuikEsWM9KcRhRk=

VXATJsbZt/OyEi6Z0Y9m9O4=

C8ZitXuEXIk613jZWQ==

4IIRKYI2mygmEr7EUhOuiEZ1ux4c

x3mNjz4y4M20lnKM1I9m9O4=

UGB//3QuqmDHeDQ=

2H5k5/UwHEwPv2G+Sg==

xHh+uLvyCnZdPo0YXdyEe+ZowQ==

MMGT27gl8VFJ

pLA/Ve3++kcn1lhn6dDmhI2KGzfKNYU=

Ic/vJ/dG0uDhkYblI6XXFL0SN8cDrZP5

MfKDkw/woqFDCabB0YIs

IsDCzc1GuJOGdqX4CgCAPA==

bROVz2hP/wgV9/eGkw4=

cyM+htBboyUeyj0qbuqNTrhX9gJF/6fx

Q+MDF9cCCn8pkyU5y7fmPwYagMMGB7jx

Ve57nDZMRqeXP+V+0IMu

vmJrjeIXWfXWuZbB0YIs

5qVAfUZyi/sC13jZWQ==

Extracted

Family

xloader

Version

3.8

Campaign

od65

Decoy

oMDl7+9m1JtQ+KJ//bSZYk7C

0nQRVuikEsWM9KcRhRk=

VXATJsbZt/OyEi6Z0Y9m9O4=

C8ZitXuEXIk613jZWQ==

4IIRKYI2mygmEr7EUhOuiEZ1ux4c

x3mNjz4y4M20lnKM1I9m9O4=

UGB//3QuqmDHeDQ=

2H5k5/UwHEwPv2G+Sg==

xHh+uLvyCnZdPo0YXdyEe+ZowQ==

MMGT27gl8VFJ

pLA/Ve3++kcn1lhn6dDmhI2KGzfKNYU=

Ic/vJ/dG0uDhkYblI6XXFL0SN8cDrZP5

MfKDkw/woqFDCabB0YIs

IsDCzc1GuJOGdqX4CgCAPA==

bROVz2hP/wgV9/eGkw4=

cyM+htBboyUeyj0qbuqNTrhX9gJF/6fx

Q+MDF9cCCn8pkyU5y7fmPwYagMMGB7jx

Ve57nDZMRqeXP+V+0IMu

vmJrjeIXWfXWuZbB0YIs

5qVAfUZyi/sC13jZWQ==

Targets

- Target
  
  492bfe8d2b1105ec4045f96913d38f98e30fe349ea50cc4aaa425ca289af2852
- Size
  
  967KB
- MD5
  
  37840d4e937db0385b820d4019071540
- SHA1
  
  a1f7670cd7da7e331db2d69f0855858985819873
- SHA256
  
  492bfe8d2b1105ec4045f96913d38f98e30fe349ea50cc4aaa425ca289af2852
- SHA512
  
  4a77875a5f9b9066ca6f88ad1ea7c259bb690e3b2c240a3de61081c01f06d87a1cae261b236c7a8b0c7261399a06e1ff3cbbdeb1ca1ee5b732350143eafb51a6
- SSDEEP
  
  12288:8HbINWvoTEQYJGl/iUfkcogKuqAJA+1z48qDo5ynuzFl2LUv0eMqnexYA1l/X:6b6ZeGBiAkcogKOi+1zSo5ynRxYA7/X
Score

10^/10

formbook modiloader xloader od65 loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookmodiloaderxloaderod65loaderpersistenceratspywarestealertrojan