formbook

General

Target

太太希Jw的 rA.exe
Size

499KB
Sample

220921-mvgajsbgbq
MD5

73aac8ac5dc4ded42398f9fe2a191c19
SHA1

4f3ed7fa592f4ae4c4462928543dcbd4997f2549
SHA256

6672b26a03db7ec5d61e90ce7827c422cb6a8a942cc1c77f92f97e263a35d8e5
SHA512

cc5459746e50fe49d87f5facbb7ee79c1554697e54df2a615ace177ef0f439d134f188e19f51a1f866486237d3a79fa381d362b7da942dc74e00f675bc3cb58d
SSDEEP

12288:0osBGYb7Hku+M1e02kE15gLXOCYeHcUiK9DRB1R5//+P25wENJYWfaBFyutY4ld2:cBGO7HkwGkE15AXOCYeHcU7

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

Extracted

Family

xloader

Version

2.9

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

Targets

- Target
  
  太太希Jw的 rA.exe
- Size
  
  499KB
- MD5
  
  73aac8ac5dc4ded42398f9fe2a191c19
- SHA1
  
  4f3ed7fa592f4ae4c4462928543dcbd4997f2549
- SHA256
  
  6672b26a03db7ec5d61e90ce7827c422cb6a8a942cc1c77f92f97e263a35d8e5
- SHA512
  
  cc5459746e50fe49d87f5facbb7ee79c1554697e54df2a615ace177ef0f439d134f188e19f51a1f866486237d3a79fa381d362b7da942dc74e00f675bc3cb58d
- SSDEEP
  
  12288:0osBGYb7Hku+M1e02kE15gLXOCYeHcUiK9DRB1R5//+P25wENJYWfaBFyutY4ld2:cBGO7HkwGkE15AXOCYeHcU7
Score

10^/10

formbook xloader v4qp loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Xloader

Xloader payload

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2