formbook

General

Target

Yeni siparis eklendi.exe
Size

730KB
Sample

221101-kjqczaafdr
MD5

ee8349f2888ba2742aee5f3431f8a1b9
SHA1

2645c65169ae561912cc22c0418b0498dc51452d
SHA256

25d182f0fae63df346da5dd500309607c39325a90aca36121e9d928e4c445b76
SHA512

71fafdc140e603f6600971e2d5b3fb8093e1b043e24fbe1515d1460c895c1a9bd95a6af24a5c2c735d9bdf4f4ba6d41b9e6f261b99ccb04b5ee988b7602eb3c1
SSDEEP

12288:cmkj8E72nMvEp9K8jfCRxsvUTGifrMReP0+ax+6m23m23msffffffffffffffffz:uAECSEp9ljfCmUTvfYRB+ax+6m23m23R

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

- Target
  
  Yeni siparis eklendi.exe
- Size
  
  730KB
- MD5
  
  ee8349f2888ba2742aee5f3431f8a1b9
- SHA1
  
  2645c65169ae561912cc22c0418b0498dc51452d
- SHA256
  
  25d182f0fae63df346da5dd500309607c39325a90aca36121e9d928e4c445b76
- SHA512
  
  71fafdc140e603f6600971e2d5b3fb8093e1b043e24fbe1515d1460c895c1a9bd95a6af24a5c2c735d9bdf4f4ba6d41b9e6f261b99ccb04b5ee988b7602eb3c1
- SSDEEP
  
  12288:cmkj8E72nMvEp9K8jfCRxsvUTGifrMReP0+ax+6m23m23msffffffffffffffffz:uAECSEp9ljfCmUTvfYRB+ax+6m23m23R
Score

10^/10

modiloader trojan formbook xloader uj3c loader persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Xloader payload
  rat
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Xloader

ModiLoader Second Stage

Xloader payload

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2