formbook

General

Target

09544353425756.zip
Size

337KB
Sample

230227-xz5ttafa9s
MD5

ab3546128bf2fbb96f21a553059b1537
SHA1

e6c355a40c8578bebe26db758e8b7edf4582fb5d
SHA256

7e98f0b1f0599a54e37c2d2ee99111106f920dcf901b1faf07036b2681daca9b
SHA512

d522720cdef4a87ce44bc824f6f9f4db455f373b64d3c46d967498a0f45fc9012636d77a62daa4a6e3149d8b46501c1830fd08ab74151125c1cfa324e12dae25
SSDEEP

6144:WM/5bLEQafhRVm3WBE5AdI/U5DtD4YyBNcXpcX46JMLYEjL2PQPmGsYj8Yt:V/5b4Qaf83WW7U5DtDpXXa/O56PEsYjX

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

- Target
  
  09544353425756.exe
- Size
  
  771KB
- MD5
  
  cec36e0796a2cbb1fbc62a0da6f109bb
- SHA1
  
  1564c76aa35fb9668428fd9fdec8b60bd61596b5
- SHA256
  
  60e62d5459b1971893914ca21242c08a31cdc2dcdeed79e92c0b594e43bf8ec5
- SHA512
  
  76df43d7cc966ed43fb02ee1ebb9967c916f5e5d3c6c659a2840945e1e30df4dbdad151ac7c6e944660437045ea8a0bccfb917d378be6ed5df817bf753d96e1d
- SSDEEP
  
  12288:Pr5Nxzs78p/cJCzQkgtr80XGjObPkOOfIiteSmF0Z/:PFvzs7bJWbgtopibPkOOnm0
Score

10^/10

modiloader trojan formbook xloader uj3c loader persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Xloader

ModiLoader Second Stage

Xloader payload

Adds policy Run key to start application

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2