General

  • Target

    Trojan.Win32.FormBook.AR.MTB-7d9ccf7be546cdad2baab25c98336224ae050f477594647c9a8adf6b8700011aN

  • Size

    524KB

  • Sample

    240916-rf46aa1gjg

  • MD5

    e125cbe585e654316d5ab0c2a73bd830

  • SHA1

    62bf4c0a8fbd8a30663e468cf865b1c6e5f5a7bc

  • SHA256

    7d9ccf7be546cdad2baab25c98336224ae050f477594647c9a8adf6b8700011a

  • SHA512

    57d6ae7a7b4c13d23f0ac17a1a684a81155a4e233a107fc275e5d901db70dd4d246f7f746852d4bf4bfd17c522f0ef7e666e983f766c04248b885e044dcc704c

  • SSDEEP

    12288:X9pL8dQnSsG5u8j/cYRHFuVP32+8AEDuME4lbMIOy:X9pL8dQnSsG5umRHFKD8AED+ibMXy

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ma3c

Decoy

bensimonconstructions.com

margaretta.info

getreireply.com

jamierighetti.com

gxjljc.com

internet-exerzitien.com

appetiteintelligence.com

buscar-id-apple.com

unique-bikinis.com

enclassique.com

dafontonline.com

northamericancarbonexchange.com

yashasvsaluja.com

sn-international.com

humanvitality.site

sarahcasias.com

xn--vrv276h3cb.com

curiget.xyz

anxietyattackscure.com

angelstonecrystals.com

Targets

    • Target

      Trojan.Win32.FormBook.AR.MTB-7d9ccf7be546cdad2baab25c98336224ae050f477594647c9a8adf6b8700011aN

    • Size

      524KB

    • MD5

      e125cbe585e654316d5ab0c2a73bd830

    • SHA1

      62bf4c0a8fbd8a30663e468cf865b1c6e5f5a7bc

    • SHA256

      7d9ccf7be546cdad2baab25c98336224ae050f477594647c9a8adf6b8700011a

    • SHA512

      57d6ae7a7b4c13d23f0ac17a1a684a81155a4e233a107fc275e5d901db70dd4d246f7f746852d4bf4bfd17c522f0ef7e666e983f766c04248b885e044dcc704c

    • SSDEEP

      12288:X9pL8dQnSsG5u8j/cYRHFuVP32+8AEDuME4lbMIOy:X9pL8dQnSsG5umRHFKD8AED+ibMXy

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Deletes itself

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks