formbook | cbc3c8432b8722c7c4504e93ad97e9dcea7d7df9e018893e981cf7e5ebbc8eb4 | Triage

Sharing

General

Target

SHEXD210117S_ShippingDocument_DkD.xlsx
Size

2.3MB
Sample

210119-5hcm6y2jje
MD5

bae7476565583cc0aa5a3947495b7626
SHA1

239ad3d5064b678d48ec18d3fae04110e7ef17e9
SHA256

cbc3c8432b8722c7c4504e93ad97e9dcea7d7df9e018893e981cf7e5ebbc8eb4
SHA512

c98274e684b3948d282b63f0ad8e83a8b86a2926da6b4865a1a6cd38005a428632fb34059eba7f096186220e0c1368a8d758c4af173e3510ab56590606071b02

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.stonescapes1.com/de92/

Decoy

zindaginews.com

tyelevator.com

schustermaninterests.com

algemixdelchef.com

doubscollectivites.com

e-butchery.com

hellbentmask.com

jumbpprivacy.com

teeniestiedye.com

playfulartwork.com

desertvacahs.com

w5470-hed.net

nepalearningpods.com

smoothandsleek.com

thecannaglow.com

torrentkittyla.com

industrytoyou.com

raquelvargas.net

rlc-nc.net

cryptoprises.com

Targets

- Target
  
  SHEXD210117S_ShippingDocument_DkD.xlsx
- Size
  
  2.3MB
- MD5
  
  bae7476565583cc0aa5a3947495b7626
- SHA1
  
  239ad3d5064b678d48ec18d3fae04110e7ef17e9
- SHA256
  
  cbc3c8432b8722c7c4504e93ad97e9dcea7d7df9e018893e981cf7e5ebbc8eb4
- SHA512
  
  c98274e684b3948d282b63f0ad8e83a8b86a2926da6b4865a1a6cd38005a428632fb34059eba7f096186220e0c1368a8d758c4af173e3510ab56590606071b02
Score

10^/10

formbook xloader loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderloaderratspywarestealertrojan

behavioral2