formbook

General

Target

3808ccaaa210176453b1d9e91350b6d0f517aeaf87c1d60cc883fd54e7c0737d
Size

910KB
Sample

230321-nr4r4sca5x
MD5

3e52d253587020a97aa22cf6abed57c9
SHA1

e0abab76fe991dc6a8288b067474facf0a83ef1b
SHA256

3808ccaaa210176453b1d9e91350b6d0f517aeaf87c1d60cc883fd54e7c0737d
SHA512

2fe990183f79df2d92c345164efbbb30b3c1e7244b3d3698768389645960a141afdff957875ae69deac030510385751f86d596c2079d03f267f696addaa9cfce
SSDEEP

12288:cvI/SRZe0WFIQ38UWtwn/8vprceJz5Roy59N7axbIeYPG48SLuk8A1HdY5mQPmdx:cQ3SQ3XWtwn/8vB99mDkTyYQPE29K

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

- Target
  
  3808ccaaa210176453b1d9e91350b6d0f517aeaf87c1d60cc883fd54e7c0737d
- Size
  
  910KB
- MD5
  
  3e52d253587020a97aa22cf6abed57c9
- SHA1
  
  e0abab76fe991dc6a8288b067474facf0a83ef1b
- SHA256
  
  3808ccaaa210176453b1d9e91350b6d0f517aeaf87c1d60cc883fd54e7c0737d
- SHA512
  
  2fe990183f79df2d92c345164efbbb30b3c1e7244b3d3698768389645960a141afdff957875ae69deac030510385751f86d596c2079d03f267f696addaa9cfce
- SSDEEP
  
  12288:cvI/SRZe0WFIQ38UWtwn/8vprceJz5Roy59N7axbIeYPG48SLuk8A1HdY5mQPmdx:cQ3SQ3XWtwn/8vB99mDkTyYQPE29K
Score

10^/10

modiloader trojan formbook xloader uj3c loader persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Xloader

ModiLoader Second Stage

Xloader payload

Adds policy Run key to start application

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2