formbook

General

Target

MT103_Advice.exe
Size

498KB
Sample

220718-p3gx6adecp
MD5

a0710a7b2266067d2761c2c00b3781c9
SHA1

838c7b45cfd7333c0681d6a3b5b17d486f8fb509
SHA256

cabb105b68b42b80ce9e42a35fdc198b147068f34a9b637c4dfab7b71987f00c
SHA512

38fd65030a2e2e7230c2469fd1816834d5d034848fa06cc8f63b6d31c998a6a6ba851e80c3134470e21c80f303b6bdce32bebba1092f1eb6abe5535df5651e0c

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

zzun

Decoy

JnNtRHyNupy0GqRzAcasu7hb4rc=

Qv593NGLE7p9UNSaVkPXljAJm2QCNnc=

ePArIFWvjkkMgVEVhw4M4Jk=

26rqUwJ7dD0AiDI=

pBAxMHeK741QFw==

kHD7TPt5846pUMTX

56UnjFjHL1i0j659h3LymRnHpQj+SshC

4vKlKHflPqmWXRbrRwfPtrhb4rc=

6LBd4qButFAi

phMzGll8Ue7Fu+inq5cdnPaSugG3

NKswiQGCvZoG5FgsdHEI

rtTHnuUY8M1qVcXV

SOmECrlAt2oGAA==

L1ep9adutFAi

/UE+/AyvE6uEl28weFI=

IP+xMPQxJR4NE6TK

xvW5GN9/rqA5YUoOVt185Sf7Uw==

fRFNW9DhxL6VF7LA

KFYTfkaY741QFw==

W4JGvMBmt2oGAA==

Targets

- Target
  
  MT103_Advice.exe
- Size
  
  498KB
- MD5
  
  a0710a7b2266067d2761c2c00b3781c9
- SHA1
  
  838c7b45cfd7333c0681d6a3b5b17d486f8fb509
- SHA256
  
  cabb105b68b42b80ce9e42a35fdc198b147068f34a9b637c4dfab7b71987f00c
- SHA512
  
  38fd65030a2e2e7230c2469fd1816834d5d034848fa06cc8f63b6d31c998a6a6ba851e80c3134470e21c80f303b6bdce32bebba1092f1eb6abe5535df5651e0c
Score

10^/10

formbook xloader zzun loader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader payload

Checks computer location settings

Deletes itself

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2