formbook

General

Target

661eda3234e1b3b497701920414c03108188d4e4cadc8a3de7dbda17753c9e09
Size

918KB
Sample

221125-say8hsab3w
MD5

4ad9a15626677976b84e54ea4dde0420
SHA1

07c460596177a5c2ef06e16a38658112348a5c79
SHA256

661eda3234e1b3b497701920414c03108188d4e4cadc8a3de7dbda17753c9e09
SHA512

05528822e2cce1707973d0bcdb661ec677e9991433eef23238d0ae4030909ed8318da1f9e4812d8369d14a71b227f8d62412c95e429ab3fede416816cfb2ac21
SSDEEP

12288:h2/pKmJAagHvRnAmqgc/SdORHmV1ujAcV0szEZbnRQuNbNhPDDSXG:h2/pL+RvCT/SoRHmKgszEZNZH4G

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

b6qc

Decoy

etofood.com

bigtimberroofingnc.com

jacque.doctor

9588uy.site

nosceremonies-lefilm.com

xposetattoosjaipur.com

universalwebbinq.com

klthealthfrancesarl.com

tinyhome.deals

neroivr.com

floridaappeals.net

vladartsmith.com

chatbothealthcare.com

akutansi.online

appointmentcart.com

vertue.xyz

healthplanslakeland.com

es-verification.biz

thatsod.com

521ini.xyz

Targets

- Target
  
  doc001876543456781987651000_pdf .exe
- Size
  
  857KB
- MD5
  
  862a815ffdf58d6c2ae62a2948658e74
- SHA1
  
  df09b761005eba5e45cc3c1503cf2761077d4c49
- SHA256
  
  c40018a8c58d463f829a97d5c5280c2b5292573cbd321f042e7225db4bff6d95
- SHA512
  
  95a79ac52b0b36b4232fdd7a49dca9dfd1be0ae5bc9ae98020e4150e8c8d5859103cf8a7d07773f86ee1841939817022071f46e7893c09826ff204ceab690099
- SSDEEP
  
  12288:L2/pKmJAagHvRnAmqgc/SdORHmV1ujAcV0szEZbnRQuNbNhPDDSXG:L2/pL+RvCT/SoRHmKgszEZNZH4G
Score

10^/10

formbook xloader b6qc loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

Xloader payload

Adds policy Run key to start application

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2