formbook | 99f5d4bcd2ae5e78aedf605d22c1ed6b869493c589c438326a41883d4f68cc5e | Triage

Submit
Reports

Overview

overview

Static

static

1

Invoice MI083761.exe

windows7-x64

Invoice MI083761.exe

windows10-2004-x64

Sharing

General

Target

de2bd88b2005f35b987819e8431c3e01
Size

1.2MB
Sample

220920-t1x9kshcdn
MD5

de2bd88b2005f35b987819e8431c3e01
SHA1

ce93b62f644972efabe0e6494a35c1e2f0f86a7e
SHA256

99f5d4bcd2ae5e78aedf605d22c1ed6b869493c589c438326a41883d4f68cc5e
SHA512

ad840df5730b06f73084564d975ce99d382dd14fde10bbb910eb9cfe4b9b97c6616e2143fc6293a0b8a0ff6c0d6485ef0cd310602a1191a40ed7d88eecd6246f
SSDEEP

12288:BKYT2/Y/7Ua1oog3tum1xwbLtr37azyJ5vBIco/s4+Nk7SL+TK8zFo89SaDoii6W:PTANa1HMumHaBtLvn4+D9802oi5T6F

Score

10^/10

formbook xloader 6hsc loader persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Invoice MI083761.exe

Resource

win7-20220901-en

formbook xloader 6hsc loader persistence rat spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Invoice MI083761.exe

Resource

win10v2004-20220812-en

formbook xloader 6hsc loader persistence rat spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

6hsc

Decoy

6cvqXARAGlgdnnbXYQ==

Mi4yZ8FULou6w26U2FDnEbA=

Xmx0bJmRZGL+O0RFfLFNN9AMdwn+

B0WNhyl4T2gWBIqE1VDnEbA=

DI2G9/sG/v6YIh42aQ==

0NTaAl90ZWYiGV/bT4U=

DWCuXrL23Cc3xdIG/0dT

fTbzys/dddqOVQ==

8ClrDFi3i+asgxBOnguhlQ==

YjOkWLSpXeqrXw==

gAIov8vbtv8vr8/tFSXvDULL7thokKA=

xMW2qsXay7xNkonR/zxPo939

xc38fRlgO2opnnbXYQ==

+o31vQlURJKmLUWfHlMq0Gjs

z6GwWxCSKJLJ

2pnQ5evpehAxUt4hd6pq9X71

2CmXDSU2DTmDR+Q=

WV9ScxFQID1V2glQnguhlQ==

L8UDlK65h9wJ7Zeb3VDnEbA=

Agb4LF2bRcDX

SqH75PsH3yxQYR9z3lDnEbA=

h8YG/pfpllgN+r7yaw==

cCpqkbfNqAI/WfJXnguhlQ==

s+knLMwJ3fmRZA0te6Fq9X71

EhYdPd0p8iFxPuI=

Wi4xZri3naA0D1/bT4U=

nWvXcvs9HV2udQo0

l/fjU21+WpE7EF/bT4U=

GZ+SIsMP7w6iAf8+L1pZ

D0mUUXV1P4eNVf9XnguhlQ==

oTlyZvhJFgfB4HVztxCp9Kk=

5PX7IsMQ9DmDR+Q=

dDuAscnFXeqrXw==

kmSrIrD5vxpKxeI2fgO8nw==

1GeVOGNjUmY5yswG/0dT

EYeAIppGt1Gtc/w=

LsHxiswT3tNdNN33H1hhwazaMPvCdA==

8aWkrlDKZrPQ

D4yEIMEI3Nl1QskAbaVndnt00+exZKCtyA==

c8P4ktkmB0ZjAzFCc6Bq9X71

RZnXfaxn0lGtc/w=

ZCMfpTiBVVbfW1ReZMWGoVjo

dMEMsfdKzzmDR+Q=

KTNhf5Ojhd76DKChnguhlQ==

JjlvzPs2/zmDR+Q=

xTIvy3C0XeqrXw==

RcI2ZrS+mIIO2Xub2VDnEbA=

NZOF7/3/499y1QchTG01NlzX8NhokKA=

HJ6Q/QcE2b1DUqrYPXtb

mGvXcvtFNm2Be98zao8=

zRlTSJogCy0=

X2NdecEGn5RLWg==

S4vjrkiPfql//AhBfgO8nw==

oaau7EVWQpAFV1dCc6Bq9X71

rfAaG8H+2xxRQL4BdbB6sJb/Fw==

mKvX7jB8WGcqsaefzfT9UdUMdwn+

WyObTpesZFkXGF/bT4U=

tT9IwOv0tghBx94Xg7d3sJb/Fw==

ApLQj6+9Y+q1+fA=

4bu35JDPqdinbaAG/0dT

xo36lTCBQCSn6gIjV55q9X71

hhFB3UqZbWQoX6TbREhRtajbMPvCdA==

9r7+aqu4oqJPzND+g5gzP27h8thokKA=

xZJ+dpq2XeqrXw==

vuongnudan.site

Targets

- Target
  
  Invoice MI083761.exe
- Size
  
  836KB
- MD5
  
  92ea516a4e27329ac0ef278dab2bfa76
- SHA1
  
  46e5db00e3f9a674208a51590aad707c2ffc03f8
- SHA256
  
  5dd3a0a56d55816a0ffa7a9f2feb75613a68bd2ba9f145bd69ea616e8b8c9c9e
- SHA512
  
  4ba4497ae441ff8879a6acaaef259915ead6021a058646c2726e77a87599b78d6dcc73879491f11b99d958388bcfff4b5c9f9eb9423bcda92a5c53df3a9789ba
- SSDEEP
  
  12288:aBoolbR462TDeI3BqjN23YNzH44kCYtAbmT:ae603g032U4kPtQmT
Score

10^/10

formbook xloader 6hsc loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloader6hscloaderpersistenceratspywarestealertrojan

behavioral2

formbookxloader6hscloaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy