formbook | 611ccb1d6251e3c51bf807fe03850e09229f3420477bf9a5d18e185f3dd7b4a4 | Triage

Sharing

General

Target

_RFQ_MVSEASAIL_34.xlsx
Size

2.2MB
Sample

210121-j8c7v8gnk2
MD5

1e885c00156d5de8ae0b075c09638ebb
SHA1

62d93138955f35ef8ddadbf4f530fd6dc0d1beb1
SHA256

611ccb1d6251e3c51bf807fe03850e09229f3420477bf9a5d18e185f3dd7b4a4
SHA512

7af24dd6ac7e6b33c498cde3d2783d882c78ec84ebd0e5f6369e3ea74e9e3c339398232f9db7a4d2c9348ab4e31910b387f4f709cdc5c936962c4449d8a864b9

Score

10^/10

formbook xloader loader ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.kaiyuansu.pro/incn/

Decoy

1bovvfk93jd.com

enlightenedhealthcoaching.com

findthatsmartphone.com

intelligentsystemsus.com

xn--lmsealamientos-tnb.com

eot0luh5ia.men

babanewshop.com

beyond-bit.com

meritane.com

buythinsecret.com

c2ornot.com

twelvesband.com

rktlends.com

bourseandish.com

happyshop88.com

topangacanyonvintage.com

epersonalloansonline.com

roofers-anaheim.com

shanghaiys.net

bickel.wtf

Targets

- Target
  
  _RFQ_MVSEASAIL_34.xlsx
- Size
  
  2.2MB
- MD5
  
  1e885c00156d5de8ae0b075c09638ebb
- SHA1
  
  62d93138955f35ef8ddadbf4f530fd6dc0d1beb1
- SHA256
  
  611ccb1d6251e3c51bf807fe03850e09229f3420477bf9a5d18e185f3dd7b4a4
- SHA512
  
  7af24dd6ac7e6b33c498cde3d2783d882c78ec84ebd0e5f6369e3ea74e9e3c339398232f9db7a4d2c9348ab4e31910b387f4f709cdc5c936962c4449d8a864b9
Score

10^/10

formbook xloader loader ransomware rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderloaderransomwareratspywarestealertrojan

behavioral2