formbook | 06ec8a555a6c889ed00cf5d054d1ee4e148c02a0f80ef3aabef4189917ab8fc5 | Triage

Sharing

General

Target

01f0d49ce7156ac79ad7d69737e15e77_JaffaCakes118
Size

308KB
Sample

240727-2znmrawfqa
MD5

01f0d49ce7156ac79ad7d69737e15e77
SHA1

59af534c6536183710d5aa573b54859b115790c9
SHA256

06ec8a555a6c889ed00cf5d054d1ee4e148c02a0f80ef3aabef4189917ab8fc5
SHA512

fc0a3dae628f6bbe272c95e88a0f67ff916d395268a34e22d22340e997ed83ac87a2baf349838e5641fe12342525cfb7337be40389fe97c4141fb6c8a969c67d
SSDEEP

6144:q7uMRDj5EtspXRml7CQZVmTJCSi88zwENITARkpXmJ4N83CYSbuF:qFRf5WUUlP7VSi84/NITYkp4tSbq

Score

10^/10

formbook xloader war0 credential_access discovery loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.0

Campaign

war0

Decoy

siompany.net

55667879.com

smallmouth.net

fordforlano.net

placadesilicon.com

btw-butler.com

almbeauty.com

jbthomson.com

presidentialtennessee.com

chiropractorinnorthport.com

yourber.com

get-luxurycruise.rocks

strakellc.com

eukncg.info

pablovergara.info

sologoods.com

toledovista.com

weightlosscoffees.com

echoawyer.com

csproductionsmedia.com

Targets

- Target
  
  E-Fatura000000000382920.exe
- Size
  
  574KB
- MD5
  
  e93ee7a71781b3a3dcf2f950ce1de7ee
- SHA1
  
  7157241ac402a3ffbab5082f6903cb816c1cbe16
- SHA256
  
  80402770a7a4ab721bd8c0f964330035e0bbd7524995c26eed67990b6915c3c9
- SHA512
  
  0c50b475e9a198166f0496a938b650f3f048042df2ca6e7b0e92f80abb5dbb983514ef73ccbe8743e6e7fd57e5fea002383185b7633e80d21b3f6386a0e428ca
- SSDEEP
  
  12288:dqCZOhL2k4zUQWkKLMZckbYv9QwwC1zzjtYARJU/dQ:dqfoW1LM7bUSwt16d
Score

10^/10

xloader war0 discovery loader rat formbook credential_access persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderwar0discoveryloaderrat

behavioral2

formbookxloaderwar0credential_accessdiscoveryloaderpersistenceratspywarestealertrojan