formbook

General

Target

3093827637263.zip
Size

524KB
Sample

230615-se18nsab56
MD5

4c068dce762d9fd9659e073508725305
SHA1

6866f0e387d29f487031677a17a65eb6e3c62982
SHA256

84a54ee3cc58bba355daca05973507cf1b2ad1867874011ef9ed3d8f02a848ce
SHA512

c7659047f1c0ba15ec8f27fa101daaf9f8b2fa2d9d36024e5f9614dd37244cee2f3884438846406691c4bcf3a060abc0d3f8b663de5a9331adfbb8a0c2f50902
SSDEEP

12288:LNfE3P/CnlQJwXuqtqKCZJZiC8f7hg8qvb4h//8Nxb5h:LFM6n+kJYKCZJsg8sbe/ENxbT

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

- Target
  
  3093827637263.exe
- Size
  
  1.0MB
- MD5
  
  749ce2276567faddc7fdb2bc59c13a6c
- SHA1
  
  8a45a6ee8553f4f55ec0fb416d62e6436507d8f9
- SHA256
  
  9932a48daf4df5a5f07836851c8b594bb54ede58c85fdb22f3198acd61da701e
- SHA512
  
  324243d0104f4e0a7edecdb0fcebb93809b3fc6cb140b18c2c1f8406f1b697bb0c17785bc768f27b6b86bf18a9e168aa2951bc3ec3df3d5cc36fccc6c09c026d
- SSDEEP
  
  24576:Zs/dShaR6+yPvvIYHGrw8R+d7BOQ6nWz0:Zs/uC4JHGU0gBOQ6Wz0
Score

10^/10

modiloader trojan formbook xloader uj3c loader persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Xloader

ModiLoader Second Stage

Xloader payload

Adds policy Run key to start application

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2