formbook | f3e7f68430934e19e618b8d6772b90ac3a7d42369058af3cdd35593266f28604 | Triage

Submit
Reports

Overview

overview

Static

static

Statements...2.xlsx

windows7-x64

Statements...2.xlsx

windows10-2004-x64

1

Sharing

General

Target

Statements and Invoices July 2022.xlsx
Size

829KB
Sample

220927-xr23ysfdaj
MD5

100959adfeea88d0b3026adffa0356a1
SHA1

bc1b255735f03b5f9b4d43cf2f308b9f2531e08f
SHA256

f3e7f68430934e19e618b8d6772b90ac3a7d42369058af3cdd35593266f28604
SHA512

b5a5b0bccee60d3c5ff7507a485453fa8d40b57fe5f214e2373179f8f8b7133f986e9baf505af058fa33499ff5e6a533c39bd4477fe29b1f8ec226361d0a0b73
SSDEEP

24576:QNr57jDMyDt1B1mY7pV71WDOvFDuPGilG0m6gUaxRraJrNtDtPK:QZxDNb3jl51gOvFS+iIIgR0C

Score

10^/10

formbook xloader u8ow loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Statements and Invoices July 2022.xlsx

Resource

win7-20220812-en

formbook xloader u8ow loader persistence rat spyware stealer trojan

windows7-x64

25 signatures

150 seconds

Behavioral task

behavioral2

Sample

Statements and Invoices July 2022.xlsx

Resource

win10v2004-20220812-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

u8ow

Decoy

uzhDDUNgg10rOh8rkUMGYiLuNnRWl9gwMQ==

bfkA4IUaSgYi7IA=

ezX5yHeR21O3h2RCgQ==

x3E4ntHeLMGQm0kdTi6PJtjOVS6Em8UaKA==

xJuAYwcZLAfqrVazWjvkirgFxDSf

qrGugLdannLYegX5dCtFMA==

i61nMddueAYi7IA=

RoNMKNhtdDWpeiYoaB37TPiHTLo=

RFj3UHHrDtAktSZhYku36opnsaMbNA==

lx0g+6RPl4jwwNPRPuTD

MyEQ4oGk6vXrMM4V

0IVWH0rfKe1J4nn6J9XB

SYVlN3Zrnq2OaWpDiQ==

fNa0jy3P8KQK25rpmwqd0t8=

UZuSZpW+9ffX9KXzmgqd0t8=

Vxf85YCWvYNZjkcDdCtFMA==

0gG1EzLP7/DrMM4V

WExRGVAEE6YS5tJkTxMhR636+A==

6Tv7U4QdURt1KUI+gw==

ooR7RXgsXPtaEutnaQ3efjIXmfJePavzIA==

kH1+agwHHalYZx6qIgfY

ZWt1Rm0DSQlnBqPfWQAc/tcr

cLCK7t168nLRaWpDiQ==

mhlxXnj4ae2oyA==

cNfFjLnZBAbktB6qIgfY

e4+aeK07RtRvyDdIwbTJ

zV1cO+x+pG5zGpk=

Chw2HE2XGN4+Cr/5oYw2qDok

DP/jRm13vb2eiYBXkQ==

Ma9RHLrYBdejyIc/Mg2d/8xWIqM=

VTo6X4LaHCfge/wU

sWUqRFyEF4620a0t2n8=

gFcKdpXTkQzrMM4V

OhMDz+2HrUeaOs/fJBHkCKz7+g==

VO2d9iU2Thf318SIwq0EOA==

e1ku/6K39wfJUusrm0vPx4XRqHIvPpc=

P+jz1DwdYV0=

bTf6X4eNo29HFZaYHIdgOg==

4T4u2HphcHA0

tbfJk7tho2DrMM4V

mN6i/Su4QgqJXCqCRzW3mzJHyrWX

zW04ErzqFdmbu79Rig==

ZmprSnkJRcl0JKT6J9XB

MpWLW5et5BoKKk+rm3c=

Zr2aZxK7/FrlpnRYlw==

0U3tR3qhsDuRX0ebnn0=

wwHLoEjfITb8VSKpjXQ=

U0tVJVTjQAYi7IA=

UhwL8pe04L+OaWpDiQ==

aopHm8x6r2frMM4V

Lmst/p5BnbN6FIkTOM8rEdc=

GE06CTdjgx+Q6ZIV2H8=

EEj/aJNAfnLggR7q56O3833n8g==

iNu4mEHQ21YCng0d

KDEzCTXL1lu2jm76J9XB

75FOp9va+5X90pMaWzhMstYm

dC3913qn0YlNK0+rm3c=

JdWkeCE2aH5uMqzDQikE2IVmsaMbNA==

DXRpMVx9wYHolAeOVjsokL9HyrWX

OhHhPWGIz5DefU+rm3c=

50M3F7hrlnBBTDLKumo4nMY=

Fqq41ivP9XMLaTycqZUCOA==

711EHcp3p3EnLk+rm3c=

LT/fL08ENi0Gi1dYk4bzMQ==

majorcaplanetary.com

Targets

- Target
  
  Statements and Invoices July 2022.xlsx
- Size
  
  829KB
- MD5
  
  100959adfeea88d0b3026adffa0356a1
- SHA1
  
  bc1b255735f03b5f9b4d43cf2f308b9f2531e08f
- SHA256
  
  f3e7f68430934e19e618b8d6772b90ac3a7d42369058af3cdd35593266f28604
- SHA512
  
  b5a5b0bccee60d3c5ff7507a485453fa8d40b57fe5f214e2373179f8f8b7133f986e9baf505af058fa33499ff5e6a533c39bd4477fe29b1f8ec226361d0a0b73
- SSDEEP
  
  24576:QNr57jDMyDt1B1mY7pV71WDOvFDuPGilG0m6gUaxRraJrNtDtPK:QZxDNb3jl51gOvFS+iIIgR0C
Score

10^/10

formbook xloader u8ow loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderu8owloaderpersistenceratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy