General
-
Target
RFQ-07072022.exe
-
Size
774KB
-
Sample
220706-pt27qsegd4
-
MD5
e2097690a366910f7feb9145a0565784
-
SHA1
592786f2d6c84a2a38882f43a3ac2eac9414774a
-
SHA256
9a39f92f22837a2d1eabdc7b7f0eeff451de21fdf80261739301602ea3d9cdeb
-
SHA512
b56e3bf6d1f42c2ab068fc5e16034fc273d97dac557ac222e46d5640947dbfa71b556d64ffd7b6c25f352c5dd98d300bbad725cc4428741de2ecf1e8fd421f17
Malware Config
Targets
-
-
Target
RFQ-07072022.exe
-
Size
774KB
-
MD5
e2097690a366910f7feb9145a0565784
-
SHA1
592786f2d6c84a2a38882f43a3ac2eac9414774a
-
SHA256
9a39f92f22837a2d1eabdc7b7f0eeff451de21fdf80261739301602ea3d9cdeb
-
SHA512
b56e3bf6d1f42c2ab068fc5e16034fc273d97dac557ac222e46d5640947dbfa71b556d64ffd7b6c25f352c5dd98d300bbad725cc4428741de2ecf1e8fd421f17
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-