formbook | dc269b93c470ddd734e2486a3b818a986d0261824473f805f3e42f0100f51081 | Triage

Sharing

General

Target

cec36e0796a2cbb1fbc62a0da6f109bb.bin
Size

331KB
Sample

230301-b8ehbsdg2x
MD5

08f843a45058d658d89a7278b4f7f7ad
SHA1

f20ecb9249c66bc9e6b19eccf5fe3058dca7ad4c
SHA256

dc269b93c470ddd734e2486a3b818a986d0261824473f805f3e42f0100f51081
SHA512

a0cb7b3afb0c8e3f272661525e80a82b27ca0dd087a5b84dd1acf64e42ef904c5bc522b28af5ee68d34ff8dacb1cb455b181788ac621ea42bf8fc729c1889f25
SSDEEP

6144:JjyzYhYMU3f6+yed0EPDBjNKfWq4/4H79CvWb5Vxbme:J/hFrrEPDD1RAb8ITZ7

Score

10^/10

formbook modiloader xloader uj3c loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

- Target
  
  60e62d5459b1971893914ca21242c08a31cdc2dcdeed79e92c0b594e43bf8ec5.exe
- Size
  
  771KB
- MD5
  
  cec36e0796a2cbb1fbc62a0da6f109bb
- SHA1
  
  1564c76aa35fb9668428fd9fdec8b60bd61596b5
- SHA256
  
  60e62d5459b1971893914ca21242c08a31cdc2dcdeed79e92c0b594e43bf8ec5
- SHA512
  
  76df43d7cc966ed43fb02ee1ebb9967c916f5e5d3c6c659a2840945e1e30df4dbdad151ac7c6e944660437045ea8a0bccfb917d378be6ed5df817bf753d96e1d
- SSDEEP
  
  12288:Pr5Nxzs78p/cJCzQkgtr80XGjObPkOOfIiteSmF0Z/:PFvzs7bJWbgtopibPkOOnm0
Score

10^/10

modiloader trojan formbook xloader uj3c loader persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Xloader payload
  rat
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

formbookmodiloaderxloaderuj3cloaderpersistenceratspywarestealertrojan