formbook | 0f1834fd9ddda99d631bb06ffb5b92a577ec6734c5339301b95ee27be99069ed | Triage

Submit
Reports

Overview

overview

Static

static

3

b25eec1ba4...14.exe

windows7-x64

b25eec1ba4...14.exe

windows10-2004-x64

Sharing

General

Target

49985cf212ea355f93e38481c8376734.bin
Size

393KB
Sample

230723-btvwrsch63
MD5

127e473885759459143ff3d31bc347f3
SHA1

8617452eb07b1bb44864284b3e913ddcba540dfd
SHA256

0f1834fd9ddda99d631bb06ffb5b92a577ec6734c5339301b95ee27be99069ed
SHA512

49792f88686957fb25e55389aca54181a3c05f7b09194bf1b95937075dc2cbcfdbcddb53eea4ca16b495f56f2f526ded17bbbac44d762e57c2579b525b9b3dc9
SSDEEP

12288:kWHJKVNn6qHS8k4cnev9jBKYh/sWuWUmV:1HENn6q9+nysiUK

Score

10^/10

formbook modiloader xloader uj3c loader persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe

Resource

win7-20230712-en

modiloader trojan

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe

Resource

win10v2004-20230703-en

formbook modiloader xloader uj3c loader persistence rat spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

intercontinentalship.com

moneytaoism.com

agardenfortwo.com

trendiddas.com

fjuoomw.xyz

dantvilla.com

shopwithtrooperdavecom.com

lanwenzong.com

xpertsrealty.com

gamelabsmash.com

nomaxdic.com

chillyracing.com

mypleasure-blog.com

projectkyla.com

florurbana.com

oneplacemexico.com

gografic.com

giantht.com

dotombori-base.com

westlifinance.online

maacsecurity.com

lydas.info

instapandas.com

labustiadepaper.net

unglue52.com

onurnet.net

wellkept.info

6111.site

platinumroofingsusa.com

bodyplex.fitness

empireapothecary.com

meigsbuilds.online

garygrover.com

nicholasnikas.com

yd9992.com

protections-clients.info

sueyhzx.com

naturathome.info

superinformatico.net

printsgarden.com

xn--qn1b03fy2b841b.com

preferable.info

ozzyconstructionma.com

10stopp.online

nutricognition.com

Targets

- Target
  
  b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14.exe
- Size
  
  790KB
- MD5
  
  49985cf212ea355f93e38481c8376734
- SHA1
  
  9f1e5fe65d87e70f1a2f46928728f097e15f7517
- SHA256
  
  b25eec1ba4f98d59e8fbb6d5ee791f86ad2ec3882f49a9df12794d1b519fdc14
- SHA512
  
  67d5d117834d0d611b8c574aecc972cdb8fc99d43a3926947320a56181bf0c1943057a8068d9aa2bc5050d808f67fb49c06b5e1bb25c65696662ef0a701405a6
- SSDEEP
  
  24576:rk/A25GoqxIJs7ks3XJrPz6cDCnvM3qv9:rKAKGj7ks35rPmaCnvM6v9
Score

10^/10

modiloader trojan formbook xloader uj3c loader persistence rat spyware stealer
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Suspicious use of NtCreateProcessOtherParentProcess
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Xloader payload
  rat
- Blocklisted process makes network request
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

formbookmodiloaderxloaderuj3cloaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy