formbook

General

Target

0094352783923.exe
Size

726KB
Sample

230213-hxmswsah7v
MD5

74d4c55aec897f408948b8a5609bffdd
SHA1

7fa4f6619edac4852b0eec9d017c5d68218d3c3d
SHA256

e62a8dd12a0fe7876f858f80bfc1e9658f52f4594d7194ecc6dd656cd715b9d4
SHA512

b8500b56c2be340d20d3d6f9442dc697e1bde8b61b15d0e4c30fe616d92576391517bb71411a0929501aa1b5486dcf8083782f6ffa239ebf2cb28f472ea25665
SSDEEP

12288:4ElN2Z2/NeCH8l5Hcy+Kl6ZZw773v8kOAAlD+JuvoMAEulyZZI9:F6YoCc0y+KlGwn35vAl5lAEuoLI9

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

- Target
  
  0094352783923.exe
- Size
  
  726KB
- MD5
  
  74d4c55aec897f408948b8a5609bffdd
- SHA1
  
  7fa4f6619edac4852b0eec9d017c5d68218d3c3d
- SHA256
  
  e62a8dd12a0fe7876f858f80bfc1e9658f52f4594d7194ecc6dd656cd715b9d4
- SHA512
  
  b8500b56c2be340d20d3d6f9442dc697e1bde8b61b15d0e4c30fe616d92576391517bb71411a0929501aa1b5486dcf8083782f6ffa239ebf2cb28f472ea25665
- SSDEEP
  
  12288:4ElN2Z2/NeCH8l5Hcy+Kl6ZZw773v8kOAAlD+JuvoMAEulyZZI9:F6YoCc0y+KlGwn35vAl5lAEuoLI9
Score

10^/10

modiloader trojan formbook xloader uj3c loader persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Xloader payload
  rat
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Xloader

ModiLoader Second Stage

Xloader payload

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2