formbook | a12973c256e6565a0635fb0febaed5ed56f613d23b864df409f32f832a3af19f | Triage

Submit
Reports

Overview

overview

Static

static

shipping d...ts.exe

windows7_x64

shipping d...ts.exe

windows10-2004_x64

Sharing

General

Target

shipping documents.exe
Size

545KB
Sample

220621-ewx1pabddj
MD5

9c51dcdcbb9a4cab887c3036bf8acea5
SHA1

7f0a99049ce06b600a89516d77adf3649593be21
SHA256

a12973c256e6565a0635fb0febaed5ed56f613d23b864df409f32f832a3af19f
SHA512

3022ec309b092bb79990ffead9240b27b1973b27c73b6f31a74cabcf854be72b4d67c504ed4c9f4218e4dae37b1825a29185ff55a566d582b1d3a316d3332f58

Score

10^/10

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

shipping documents.exe

Resource

win7-20220414-en

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

shipping documents.exe

Resource

win10v2004-20220414-en

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

gfv7

Decoy

hd4AZDZ3XeSkZ9w0NRn2+JU=

6iAxmGKdumxFEgwp

jM6QcxNUSeCKaUdvvh3g9mffhosQ

d4CC0LS0DjTJS8FdXqd3soM=

S1LPlXEIJY52Og==

doeO7AimsF0NEvFgnIV5

W2TlzH/byHtUU3B7tw==

Y2RAbyZjex2qj6GQv4Q=

ftoOsCpZdfmALQ==

4kqL8v/6rDj8Ohs/wAjkb0gD5Gfiww==

8mVs/AkvwLnIWp4=

yfqAazgHioT8b9yHSKpLDtgY

EyWD5F+Wu3L0xq/VJXgdlnFvBDdUz5WM

jn9ty+pdRNdtcDhJ5k8nwZofm4EJ

s9XVNv4/aRDBUx4w

+vHFE7Fw1rnIWp4=

wC395Yvi6G/3yoWRGW1USxzshi3Dyw==

jcbufIN91gHAUK1RYUMYIdyqpDlUz5WM

iIyoIvZNXwPNmBlBxGk6+A==

C/hTD8h/KWLiMW4Mt/joXyz23Q==

V5ApC8yE9ga07OV4Q61LDtgY

xtLNTFFs/RCJA4orMGL9ApU=

/AKLeE8idfmALQ==

WJL8UAHhVg7FSqAxOWL9ApU=

9iK1jWPdwWJFEgwp

Rz0Nb3NpyLnIWp4=

th3awtVSNNiFPLlnLxPmXyz23Q==

PLAGb2JN/0tFEgwp

DwBJL0vXwz6VU3B7tw==

bOAIYklXEJsP7BUDjxTubP8Q

AzA1r1ApwbnIWp4=

GY7VFP8Z42Eu0zrPgv7M27H2j0s=

M1Xf2X3iJY52Og==

TniK5ZHG5YsoO/UBSCIK04Osyg==

bNielgswlcIx

BT5/syRLwuaFFoo=

zwZKrUOtnTLZkPUBUkIUo7nAxA==

S3TY7rP8Gao+W6GQv4Q=

8vR8aFToJinc8vkLXbaY8pHOkINUz5WM

fn99yILT1WJFEgwp

4CI0fVVcxeyXIYwwPVLo9Iw=

hq6/DbfACpAm

ZJBMLtsgRN6izYKOI6xLDtgY

0w51/t24cgbsNUTkoS3BBZM=

KigtlHKAVuSnOpkzO1Lo9Iw=

QJKEvBztdfmALQ==

JCr9WGswGbg7

cbnlTTM1lc+s9s/6j/3mXyz23Q==

nC9880u66IpFEgwp

8l0tFQeq3HFHilpg32RN0GRVOaxXKO8YOA==

aV4laF9ZdfmALQ==

p8+JhjIKxEMWa1707GVKBdbbhi3Dyw==

lsDLGs6vauq8ERrIkwrU1m76mhgPoVk=

VmL44pRG8A56zSK0xGk6+A==

0MtFU1jACpAm

ASApso7Btzm4sbLiY79LDtgY

ULrfRv1BUwzoty9HxGk6+A==

qasiAbIOJY52Og==

UZN9Xx2miW9FEgwp

zDMIAhSLts63jRpCxGk6+A==

f3gLFxpk+DG+U3B7tw==

qzWSblb1ernIWp4=

+CZPmjzmSGIHjN6BSapLDtgY

jsw3l0sshQ0MzjNRqA==

littlemountainnomad.com

Targets

- Target
  
  shipping documents.exe
- Size
  
  545KB
- MD5
  
  9c51dcdcbb9a4cab887c3036bf8acea5
- SHA1
  
  7f0a99049ce06b600a89516d77adf3649593be21
- SHA256
  
  a12973c256e6565a0635fb0febaed5ed56f613d23b864df409f32f832a3af19f
- SHA512
  
  3022ec309b092bb79990ffead9240b27b1973b27c73b6f31a74cabcf854be72b4d67c504ed4c9f4218e4dae37b1825a29185ff55a566d582b1d3a316d3332f58
Score

10^/10

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloadergfv7loaderpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxloadergfv7loaderpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy