formbook

General

Target

U prilogu nova narudzba.exe
Size

722KB
Sample

230301-jrjpqaeh2y
MD5

fe67f9173fcdd83f563f0532b8846cc3
SHA1

eac9dad660365acdd4c3cc8045dd565690186f56
SHA256

45d68cb2a4e2ea11ba073766a2de69759539026cc66a0215f48ff46342e3ed84
SHA512

085b834acb12609de8c9c227ca4a055f25641d04832230bc21c5b3ae2b4c1c28d9b000ce77dec3c3e7bdc621e73a957300a0d9d05278ff1b0d31708fdab4b32f
SSDEEP

12288:HoDzEcLL4ZjVUi0EosOijSmrXO9Ax3mIEDs0wvw1UjSxFrXhy:HG4s0jVLyijxZx2qI1OSxdXE

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

euv4

Decoy

anniebapartments.com

hagenbicycles.com

herbalist101.com

southerncorrosion.net

kuechenpruefer.com

tajniezdrzi.quest

segurofunerarioar.com

boardsandbeamsdecor.com

alifdanismanlik.com

pkem.top

mddc.clinic

handejqr.com

crux-at.com

awp.email

hugsforbubbs.com

cielotherepy.com

turkcuyuz.com

teamidc.com

lankasirinspa.com

68135.online

Targets

- Target
  
  U prilogu nova narudzba.exe
- Size
  
  722KB
- MD5
  
  fe67f9173fcdd83f563f0532b8846cc3
- SHA1
  
  eac9dad660365acdd4c3cc8045dd565690186f56
- SHA256
  
  45d68cb2a4e2ea11ba073766a2de69759539026cc66a0215f48ff46342e3ed84
- SHA512
  
  085b834acb12609de8c9c227ca4a055f25641d04832230bc21c5b3ae2b4c1c28d9b000ce77dec3c3e7bdc621e73a957300a0d9d05278ff1b0d31708fdab4b32f
- SSDEEP
  
  12288:HoDzEcLL4ZjVUi0EosOijSmrXO9Ax3mIEDs0wvw1UjSxFrXhy:HG4s0jVLyijxZx2qI1OSxdXE
Score

10^/10

modiloader trojan formbook xloader euv4 loader persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Xloader payload
  rat
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Xloader

ModiLoader Second Stage

Xloader payload

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2