formbook | 706d50824187fb595dc21c7e701f3f0b60baaea805b90d6bc9adb1d4c2f023fe | Triage

Submit
Reports

Overview

overview

Static

static

SOR-0188-2...us.exe

windows7-x64

SOR-0188-2...us.exe

windows10-2004-x64

Sharing

General

Target

SOR-0188-2022-E - Sea Orpheus.img
Size

776KB
Sample

220915-rsfnfshaeq
MD5

e9375eb3bd36b1960d55c248c1301612
SHA1

f71d325dfc6901149d51390d4ce3474f7c779508
SHA256

706d50824187fb595dc21c7e701f3f0b60baaea805b90d6bc9adb1d4c2f023fe
SHA512

5495e42906514b56e9103243aaaa4db99fdcfedd23f1cd023d581da452e4b87ee90045b918b36c94358e720ac7d9afc18ce6490b8b7286b5f7f2bed6d017755a
SSDEEP

12288:yVF75e1ZuqRhf5O5zOJf2t51Yy8rZGGWvC0DsD88WV+kOGq+b6e6/U:yVZ52ZB7xOFEDy8r0Ru8LjBf

Score

10^/10

formbook xloader 6hsc loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

SOR-0188-2022-E - Sea Orpheus.exe

Resource

win7-20220812-en

formbook xloader 6hsc loader persistence rat spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

SOR-0188-2022-E - Sea Orpheus.exe

Resource

win10v2004-20220812-en

formbook xloader 6hsc loader persistence rat spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

6hsc

Decoy

6cvqXARAGlgdnnbXYQ==

Mi4yZ8FULou6w26U2FDnEbA=

Xmx0bJmRZGL+O0RFfLFNN9AMdwn+

B0WNhyl4T2gWBIqE1VDnEbA=

DI2G9/sG/v6YIh42aQ==

0NTaAl90ZWYiGV/bT4U=

DWCuXrL23Cc3xdIG/0dT

fTbzys/dddqOVQ==

8ClrDFi3i+asgxBOnguhlQ==

YjOkWLSpXeqrXw==

gAIov8vbtv8vr8/tFSXvDULL7thokKA=

xMW2qsXay7xNkonR/zxPo939

xc38fRlgO2opnnbXYQ==

+o31vQlURJKmLUWfHlMq0Gjs

z6GwWxCSKJLJ

2pnQ5evpehAxUt4hd6pq9X71

2CmXDSU2DTmDR+Q=

WV9ScxFQID1V2glQnguhlQ==

L8UDlK65h9wJ7Zeb3VDnEbA=

Agb4LF2bRcDX

SqH75PsH3yxQYR9z3lDnEbA=

h8YG/pfpllgN+r7yaw==

cCpqkbfNqAI/WfJXnguhlQ==

s+knLMwJ3fmRZA0te6Fq9X71

EhYdPd0p8iFxPuI=

Wi4xZri3naA0D1/bT4U=

nWvXcvs9HV2udQo0

l/fjU21+WpE7EF/bT4U=

GZ+SIsMP7w6iAf8+L1pZ

D0mUUXV1P4eNVf9XnguhlQ==

oTlyZvhJFgfB4HVztxCp9Kk=

5PX7IsMQ9DmDR+Q=

dDuAscnFXeqrXw==

kmSrIrD5vxpKxeI2fgO8nw==

1GeVOGNjUmY5yswG/0dT

EYeAIppGt1Gtc/w=

LsHxiswT3tNdNN33H1hhwazaMPvCdA==

8aWkrlDKZrPQ

D4yEIMEI3Nl1QskAbaVndnt00+exZKCtyA==

c8P4ktkmB0ZjAzFCc6Bq9X71

RZnXfaxn0lGtc/w=

ZCMfpTiBVVbfW1ReZMWGoVjo

dMEMsfdKzzmDR+Q=

KTNhf5Ojhd76DKChnguhlQ==

JjlvzPs2/zmDR+Q=

xTIvy3C0XeqrXw==

RcI2ZrS+mIIO2Xub2VDnEbA=

NZOF7/3/499y1QchTG01NlzX8NhokKA=

HJ6Q/QcE2b1DUqrYPXtb

mGvXcvtFNm2Be98zao8=

zRlTSJogCy0=

X2NdecEGn5RLWg==

S4vjrkiPfql//AhBfgO8nw==

oaau7EVWQpAFV1dCc6Bq9X71

rfAaG8H+2xxRQL4BdbB6sJb/Fw==

mKvX7jB8WGcqsaefzfT9UdUMdwn+

WyObTpesZFkXGF/bT4U=

tT9IwOv0tghBx94Xg7d3sJb/Fw==

ApLQj6+9Y+q1+fA=

4bu35JDPqdinbaAG/0dT

xo36lTCBQCSn6gIjV55q9X71

hhFB3UqZbWQoX6TbREhRtajbMPvCdA==

9r7+aqu4oqJPzND+g5gzP27h8thokKA=

xZJ+dpq2XeqrXw==

vuongnudan.site

Targets

- Target
  
  SOR-0188-2022-E - Sea Orpheus.exe
- Size
  
  715KB
- MD5
  
  1963afa9192dbc64dcf0f05a09ca4a84
- SHA1
  
  07e68172cf7485b8921739037b3045742d6e87a5
- SHA256
  
  9a3a97e6801259fb5c604f364434f5c96c519dc979be88f69488a87e3b1fbd2d
- SHA512
  
  fa5a8e76864e081a7b29b7182ee1bc9a5a78f5904e3592a6c6e6027af32713e2bed4e832354e48b367e52a021c2a74823937883afa210c8cc82e2f67b0f369c7
- SSDEEP
  
  12288:tVF75e1ZuqRhf5O5zOJf2t51Yy8rZGGWvC0DsD88WV+kOGq+b6e6/U:tVZ52ZB7xOFEDy8r0Ru8LjBf
Score

10^/10

formbook xloader 6hsc loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloader6hscloaderpersistenceratspywarestealertrojan

behavioral2

formbookxloader6hscloaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy