formbook

General

Target

WSAPW0650867.xlsx
Size

162KB
Sample

220628-kbvmqaaab2
MD5

2f61395a0fe614c7eedf81c320828162
SHA1

5df8981874133d46ce0191a57708700c6388e3da
SHA256

baea29755ad7d0d89ae6ec2229bb06fafaf5a68869b3f07adad15e7020a79fd1
SHA512

b321278919028dd0e2f69e3c69f3fdd933dc1cf424ea73267f9aa6025ba5c96c6c0973a993fac52c1a4583e4147251408152cb6b1eec2f5afc5591fb1b6d1a01

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

Targets

- Target
  
  WSAPW0650867.xlsx
- Size
  
  162KB
- MD5
  
  2f61395a0fe614c7eedf81c320828162
- SHA1
  
  5df8981874133d46ce0191a57708700c6388e3da
- SHA256
  
  baea29755ad7d0d89ae6ec2229bb06fafaf5a68869b3f07adad15e7020a79fd1
- SHA512
  
  b321278919028dd0e2f69e3c69f3fdd933dc1cf424ea73267f9aa6025ba5c96c6c0973a993fac52c1a4583e4147251408152cb6b1eec2f5afc5591fb1b6d1a01
Score

10^/10

xloader iewb loader persistence rat spyware stealer suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  decrypted
- Size
  
  156KB
- MD5
  
  4e4e1faa4f89fd324a0d3cb7609740ee
- SHA1
  
  c9194e4a27abcf199dd82e6cefc12c100f60c745
- SHA256
  
  4fa076b9edb70ff44a8c67442a5337293d9e6c6c9c9bf9acc23fce485116a741
- SHA512
  
  8500aca084c2f591aa0bf2b29f40d6be0866f72c27b869992d66cb754d879554cd41a70fccabbaff01f8e09f8e529102532560c4673e9b1e270724219458f43b
Score

10^/10

formbook xloader iewb loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4