formbook | 14a0af77c8fab65395925348cb39c058dd0e619e33055f6a3f895c295aaa6783 | Triage

Submit
Reports

Overview

overview

Static

static

Shipping-Docs.exe

windows7_x64

Shipping-Docs.exe

windows10-2004_x64

Sharing

General

Target

Shipping-Docs.exe
Size

501KB
Sample

220707-f1krlafgc8
MD5

c865088690870930ec48ae54209e37a3
SHA1

b6bfc53eb8577cfafe3ef5670faf56e6b2f10a3c
SHA256

14a0af77c8fab65395925348cb39c058dd0e619e33055f6a3f895c295aaa6783
SHA512

d233fb9735eca4d18dc4a2642d2fcbeb386a5d5ffd480aa6e09a7b29567417b1ecf588dc004975c97b08dd3cd05dc7c48105b87804a8e37c8a1af649b95f653f

Score

10^/10

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Shipping-Docs.exe

Resource

win7-20220414-en

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Shipping-Docs.exe

Resource

win10v2004-20220414-en

xloader gfv7 loader persistence rat spyware stealer suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

gfv7

Decoy

hd4AZDZ3XeSkZ9w0NRn2+JU=

6iAxmGKdumxFEgwp

jM6QcxNUSeCKaUdvvh3g9mffhosQ

d4CC0LS0DjTJS8FdXqd3soM=

S1LPlXEIJY52Og==

doeO7AimsF0NEvFgnIV5

W2TlzH/byHtUU3B7tw==

Y2RAbyZjex2qj6GQv4Q=

ftoOsCpZdfmALQ==

4kqL8v/6rDj8Ohs/wAjkb0gD5Gfiww==

8mVs/AkvwLnIWp4=

yfqAazgHioT8b9yHSKpLDtgY

EyWD5F+Wu3L0xq/VJXgdlnFvBDdUz5WM

jn9ty+pdRNdtcDhJ5k8nwZofm4EJ

s9XVNv4/aRDBUx4w

+vHFE7Fw1rnIWp4=

wC395Yvi6G/3yoWRGW1USxzshi3Dyw==

jcbufIN91gHAUK1RYUMYIdyqpDlUz5WM

iIyoIvZNXwPNmBlBxGk6+A==

C/hTD8h/KWLiMW4Mt/joXyz23Q==

V5ApC8yE9ga07OV4Q61LDtgY

xtLNTFFs/RCJA4orMGL9ApU=

/AKLeE8idfmALQ==

WJL8UAHhVg7FSqAxOWL9ApU=

9iK1jWPdwWJFEgwp

Rz0Nb3NpyLnIWp4=

th3awtVSNNiFPLlnLxPmXyz23Q==

PLAGb2JN/0tFEgwp

DwBJL0vXwz6VU3B7tw==

bOAIYklXEJsP7BUDjxTubP8Q

AzA1r1ApwbnIWp4=

GY7VFP8Z42Eu0zrPgv7M27H2j0s=

M1Xf2X3iJY52Og==

TniK5ZHG5YsoO/UBSCIK04Osyg==

bNielgswlcIx

BT5/syRLwuaFFoo=

zwZKrUOtnTLZkPUBUkIUo7nAxA==

S3TY7rP8Gao+W6GQv4Q=

8vR8aFToJinc8vkLXbaY8pHOkINUz5WM

fn99yILT1WJFEgwp

4CI0fVVcxeyXIYwwPVLo9Iw=

hq6/DbfACpAm

ZJBMLtsgRN6izYKOI6xLDtgY

0w51/t24cgbsNUTkoS3BBZM=

KigtlHKAVuSnOpkzO1Lo9Iw=

QJKEvBztdfmALQ==

JCr9WGswGbg7

cbnlTTM1lc+s9s/6j/3mXyz23Q==

nC9880u66IpFEgwp

8l0tFQeq3HFHilpg32RN0GRVOaxXKO8YOA==

aV4laF9ZdfmALQ==

p8+JhjIKxEMWa1707GVKBdbbhi3Dyw==

lsDLGs6vauq8ERrIkwrU1m76mhgPoVk=

VmL44pRG8A56zSK0xGk6+A==

0MtFU1jACpAm

ASApso7Btzm4sbLiY79LDtgY

ULrfRv1BUwzoty9HxGk6+A==

qasiAbIOJY52Og==

UZN9Xx2miW9FEgwp

zDMIAhSLts63jRpCxGk6+A==

f3gLFxpk+DG+U3B7tw==

qzWSblb1ernIWp4=

+CZPmjzmSGIHjN6BSapLDtgY

jsw3l0sshQ0MzjNRqA==

littlemountainnomad.com

Targets

- Target
  
  Shipping-Docs.exe
- Size
  
  501KB
- MD5
  
  c865088690870930ec48ae54209e37a3
- SHA1
  
  b6bfc53eb8577cfafe3ef5670faf56e6b2f10a3c
- SHA256
  
  14a0af77c8fab65395925348cb39c058dd0e619e33055f6a3f895c295aaa6783
- SHA512
  
  d233fb9735eca4d18dc4a2642d2fcbeb386a5d5ffd480aa6e09a7b29567417b1ecf588dc004975c97b08dd3cd05dc7c48105b87804a8e37c8a1af649b95f653f
Score

10^/10

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloadergfv7loaderpersistenceratspywarestealersuricatatrojan

behavioral2

xloadergfv7loaderpersistenceratspywarestealersuricata

© 2018-2024

Terms | Privacy