formbook | aef989d19eb5f5d3042ccb78cb984327a90cf1946522c42bd34bed927fe80c0b | Triage

Sharing

General

Target

JaffaCakes118_aef989d19eb5f5d3042ccb78cb984327a90cf1946522c42bd34bed927fe80c0b
Size

389KB
Sample

241230-avbnva1ras
MD5

1e8d8c72c395272f7b968aafd7ef26b7
SHA1

8ffa2fa227821c90c54d44084b13c0d1241be782
SHA256

aef989d19eb5f5d3042ccb78cb984327a90cf1946522c42bd34bed927fe80c0b
SHA512

d92553f001f7f85f6bc145468babb3955dab95b7318f62e3772a9e75f933b41b1232530a7a401acd8a44bd630bdc070127bd3001d758edb3611fc434ad873439
SSDEEP

6144:ixoMz9UaHz4ETSGNOtZ1551T8jhmWCQfCxlwNVl6zgoORZSBs1Acb:ixoMpjHbSGNgro1mWCQ6a3IzgoOrOoT

Score

10^/10

formbook xloader 8ah discovery loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

8ah

Decoy

outcrewz.com

superstormkleenup.com

onewildmermaid.com

awhvh.com

fundacionamoryesperanza.com

raisingabbi.com

peersonpurpose.com

brasilliana.com

bkkshutter68.com

revistaartesanato.net

machadiet.com

hurricanefloodcleaning.com

poshmargarita.life

skyhighet.com

letsgetrealyyc.com

wiringplusllc.com

news3105.pictures

huaxiangyan.com

telesecretariat-medical.com

imcc-j.com

Targets

- Target
  
  PI2009153.exe
- Size
  
  435KB
- MD5
  
  2261b6b87980a9fe9d22499c32af581a
- SHA1
  
  ad538af5295f9b670f3bc23c6d4c3bf79d388572
- SHA256
  
  a6ec6fd1e4c0673bde9231a68752edca4fb9fda60e342cd735ff53729d262da8
- SHA512
  
  600416010f13514e3faa2fdda94df93ae89b6f964381ee02c1a9a982a6aaec2c823bb7235b57bee33ab5c8e07f89293c1ca988f9f772e5da207f3d8336fcbde9
- SSDEEP
  
  12288:aZ41MVuZj2uUPrxLfCl2/reQIh2+J6tzyvscuPbR:aZ9VUfCrxjCUeFh2+JWuvscER
Score

10^/10

xloader 8ah discovery loader rat formbook persistence spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloader8ahdiscoveryloaderrat

behavioral2

formbookxloader8ahdiscoveryloaderpersistenceratspywarestealertrojan