formbook | af90961d9204c394bf5e3063e42ef2541160aaff6029c0bbd68499400c79a7ed | Triage

Submit
Reports

Overview

overview

Static

static

MV TRUONG ...A.xlsx

windows7_x64

MV TRUONG ...A.xlsx

windows10-2004_x64

1

Sharing

General

Target

MV TRUONG MINH SEA.xlsx
Size

176KB
Sample

220705-dxf8wsfea3
MD5

bfc885ac8275d3a48401b4fade16bb93
SHA1

0aab3160b4ea537f39253eaa67fe5491a99d72fd
SHA256

af90961d9204c394bf5e3063e42ef2541160aaff6029c0bbd68499400c79a7ed
SHA512

6e6624823b3d4f6988840df7491f468333044f7410ab2684c47a4db4cfa5dbfb3a9e28e41813abbf37f762cb5a32dbed0b2e7b8fe1b7c9baba6b413a64737170

Score

10^/10

formbook xloader iewb loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

MV TRUONG MINH SEA.xlsx

Resource

win7-20220414-en

formbook xloader iewb loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

MV TRUONG MINH SEA.xlsx

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

5/mnQbHhJ7IzcYjyQbXXTLo=

luHuIKrfNeUkJOfRV0dA8o3Ghkt95g==

yuh2thpBWtHl2ZV48rXXTLo=

ADcuaODkD5eytord4lbZ/A==

PIWRAgq8/zx4aipDyILc

TdUPJBksRZU=

NorCQjrrH5Gj1Ng=

WXUOku0EDZGj1Ng=

4w8mrX8lanCcoWZLU0SkkkSRd2yx

KIYkq/0QN5gPTFK37XszY0fa

s8lIykhdVZjlEA1g8LXXTLo=

AkBw4LE9RQNHkyRsMQ==

fLzVWEjyMarikyRsMQ==

6j1f2ZsFFRpcylgu

zu3YwbBReoIuUh1vdsGonTCDfw==

EGD0PEju53oDSuwu9765d/4KSkXU3Qxh

rc0aZhksRZU=

Un//ZcCsqyaNtEcnt6mLu7Lqdw==

V4Eqwh4FEHqIflW508EYzYSbOeC5

EiWpwJgAFRV5e1r60cAEdk7Y

VW8Pf9PN65HU1otP4lbZ/A==

FFdOyJcMGxpcylgu

KztLpY85vJkLFw==

yh8vtO4GRPQ2kyRsMQ==

qMfrSiqZvghLUyRy/7XXTLo=

eKTGPwmf3swEq2Y3

aoseYSTrlPsvGQ==

Z6tKw0RfgS5+1o6jbVjF

CyU0azDFBZGj1Ng=

7Cy+5co/ZZbhC8dW6eo=

LXmN0EJimQWHylwnbTS6afIlJZHj+Q==

2R2cFWiX1hlZYz2UKh4i12ikiTP55p5Bfg==

jqHcD+eAi5EYlVrJm0TN

cqO55WilyvQ9mG1P4lbZ/A==

BERqtpY6pZDbB8dW6eo=

VpzDHQBueZvY24qjbVjF

OWUELQ6s28NVxom7evrIPfCLfw==

5iO6Dg619fIVQz+Q3I+ZMdmwry4=

d6GiFh7QJaHO2Jxz8bXXTLo=

NlFh6bdVeihxxT1MH+A+TL3MaA==

0PWJHpPJ9zh3nasMO8FIVq0=

19Fom6FBSQ1QrMU=

aYWBmw6431DfHsdW6eo=

Jj7U++2X3M4Eq2Y3

mounscape.com

Targets

- Target
  
  MV TRUONG MINH SEA.xlsx
- Size
  
  176KB
- MD5
  
  bfc885ac8275d3a48401b4fade16bb93
- SHA1
  
  0aab3160b4ea537f39253eaa67fe5491a99d72fd
- SHA256
  
  af90961d9204c394bf5e3063e42ef2541160aaff6029c0bbd68499400c79a7ed
- SHA512
  
  6e6624823b3d4f6988840df7491f468333044f7410ab2684c47a4db4cfa5dbfb3a9e28e41813abbf37f762cb5a32dbed0b2e7b8fe1b7c9baba6b413a64737170
Score

10^/10

formbook xloader iewb loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderiewbloaderpersistenceratspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy