formbook | 774b70967400f9ca1463c706886a761d9436de253a9c4075fee31c6fee5ec36f | Triage

Submit
Reports

Overview

overview

Static

static

Shipping_d...ts.exe

windows7-x64

Shipping_d...ts.exe

windows10-2004-x64

Sharing

General

Target

Shipping_documents.exe
Size

39KB
Sample

220818-khk2vsbhcj
MD5

c34a61c02473087bc50d047142d6eb93
SHA1

c2ed777e3dcfef05e38ddf3d91764cab3fe3452c
SHA256

774b70967400f9ca1463c706886a761d9436de253a9c4075fee31c6fee5ec36f
SHA512

9f82964c948d33f631d850d7d7dc7966595b1fa40d5f63613bb8eb3216d0f80e5f47b52f617a10c4b1910a1bec4fe6737de340a5ad19e964a3e484eb72338b27
SSDEEP

192:ID748iqqtdqDHMQ/a+n7DMfN4vAiuCxlnWy0blrrY98uwnSfn8AQ/+e8:ImqPpn7wfN4ILGlWX5rru8uj0j/+e

Score

10^/10

formbook xloader v4qp loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Shipping_documents.exe

Resource

win7-20220812-en

xloader v4qp loader persistence rat

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

Shipping_documents.exe

Resource

win10v2004-20220812-en

formbook xloader v4qp loader persistence rat spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

7Ssfd9ru/HPzWMZ42Z+E

TJl+UkzTsY6g86lyegOU3gw=

0juvfNqRgmJwwpc/4KaG

WJuGVDdhQj1Ux5s/4KaG

FHdjPTRtZc1rPwr8zUQfXogxyplS

1yUI9+gAwMPuYMWALzWc+w==

CW1UNSZVQKAlmQep/XYDYGot8HZX30M=

vRqFbt1zJfH304GOeAOU3gw=

P5CIQS65moOingakeAOU3gw=

d9dBqqBI+vgR0Q==

1zElifgR7DjBQhEgnWqTuPzq

Z60BYmHr5eHr4qiedQOU3gw=

HWU4MRo7NYMKvenJppIKPWxeSQ==

e3BN71BTWfJPVLk=

wy7WdMhKC6ZIBS8G1g==

XquYfmaLfMtjMdvi0UJCve3YPQ9/3VBp

KZGA1zHJgWB5XAUCtW5auQQ=

xiMia8hyQfJPVLk=

fs3InobYUU1v

g/FWtqk8QVV2fvykeAOU3gw=

Gk0rieTkzD/cYMxmtQij4wb9

sQ92QpZSTOWOi15IKJWeEYMaENE=

DmfkxD7hjeFXBS8G1g==

AF/WMxGNm+1qwhvu59Ziy96hOpN/3VBp

mPxzMqdFvl/Xxg==

wbYTecjCf2dE5pl+

bM22jGRvLWbm3dd/g+CR

3T4iifwiBwdGDun0r9Bm4g==

hd/Zp4qeQhkDA7I+sXVavwQ=

Y6UNZTVzVVVE5pl+

4V68Jxr1n3hpa/igeQOU3gw=

oxRu5bztvl/Xxg==

IoXeT3nFp316WK0=

LSJ+4y5JmmIN3w==

svtsPL5PAtT1ZVBKmNxkR6piSg==

Tqv+1CqslWNp1Z1v4rzl6xM=

nOjWOqSkigqvKn8jr9Bm4g==

5vNHav9pXUs=

51u5hOzjug9E5pl+

BV3fNCavl2Z69CjsSAHGFiPi

Pov+YD5zJgUUinyAxxhVrb6W7saSEVo=

sfvz0cLqvl/Xxg==

MZ0a3y3CnzpW1DsSU01xouShpVtF

ogaE4dJvYFB76MzDJpoQR6piSg==

erilb.com

Targets

- Target
  
  Shipping_documents.exe
- Size
  
  39KB
- MD5
  
  c34a61c02473087bc50d047142d6eb93
- SHA1
  
  c2ed777e3dcfef05e38ddf3d91764cab3fe3452c
- SHA256
  
  774b70967400f9ca1463c706886a761d9436de253a9c4075fee31c6fee5ec36f
- SHA512
  
  9f82964c948d33f631d850d7d7dc7966595b1fa40d5f63613bb8eb3216d0f80e5f47b52f617a10c4b1910a1bec4fe6737de340a5ad19e964a3e484eb72338b27
- SSDEEP
  
  192:ID748iqqtdqDHMQ/a+n7DMfN4vAiuCxlnWy0blrrY98uwnSfn8AQ/+e8:ImqPpn7wfN4ILGlWX5rru8uj0j/+e
Score

10^/10

xloader v4qp loader persistence rat formbook spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderv4qploaderpersistencerat

behavioral2

formbookxloaderv4qploaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy