formbook

General

Target

Delay notice of M.V. KANWAY GLOBALV.2213S.scr.exe
Size

1.0MB
Sample

220928-t4ss9shffn
MD5

c8bd2fd6e2e7fc24eada83b44336f570
SHA1

d5ed0e54b839a3fcea2a912461f71aa3069eefde
SHA256

e4e4b8f8990f7ff711e1a238445dedaf74f4d01a10afa0c774705ff4412cbc10
SHA512

dc893cfbdd76f6dd9743f0948903839e6b95a01b2da66ccb9f3493a4324bc6ffe9ecdad31d4949d5e16dc81fcc842a6c5587a4f193e81619e55dae4f6dfdf5d7
SSDEEP

24576:I1S9JZiaRy0nJoOT5g7QD147cdgvuSp4O1BfX+FJ2SIv:IIvKkzTq61GcmxpnQJ2S

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

ruwn

Decoy

MvG74HO0R0fdGfJ1BiyHgNcexfpDQlwZCA==

Dat+rkV462igk2LufHo/NSE=

3LZ+y3jZXQ==

lllq2KJ2gwVcW/QxzS+QJlYg/g==

IPYDRekc+4ny6A==

Hr2SxM0quEmQk0bKaqw9tAcW5kMF

HMTIBAtJcQ9dXRqbctU5RZ9LIpEBbQ==

cisnZn2OqJ1k0uZtPoNh

YDxFc1uGlKqtZbzEkOrtlinS6Q==

6YsTAbSR5IKsa3kAne1gFns9

849SZE7FafcEciNlOa3y3w==

dD9IgmqPmSBH+2ujSno/NSE=

oTnMzZlugA5mXPdG2xFa/iEtS2QL

FN/mUyVE6ud9z+JtPoNh

Cvcia+2HQaBy

dQfS3I9otsZTRnAqmw==

8sOHdCb+Coa/q2KySno/NSE=

EqcwLimUNlHX7XIJpPw=

4o6PAABl7uuAv5hHHpg0800k

hyQlbm+mh+3vqxn8

Extracted

Family

xloader

Version

3.7

Campaign

ruwn

Decoy

MvG74HO0R0fdGfJ1BiyHgNcexfpDQlwZCA==

Dat+rkV462igk2LufHo/NSE=

3LZ+y3jZXQ==

lllq2KJ2gwVcW/QxzS+QJlYg/g==

IPYDRekc+4ny6A==

Hr2SxM0quEmQk0bKaqw9tAcW5kMF

HMTIBAtJcQ9dXRqbctU5RZ9LIpEBbQ==

cisnZn2OqJ1k0uZtPoNh

YDxFc1uGlKqtZbzEkOrtlinS6Q==

6YsTAbSR5IKsa3kAne1gFns9

849SZE7FafcEciNlOa3y3w==

dD9IgmqPmSBH+2ujSno/NSE=

oTnMzZlugA5mXPdG2xFa/iEtS2QL

FN/mUyVE6ud9z+JtPoNh

Cvcia+2HQaBy

dQfS3I9otsZTRnAqmw==

8sOHdCb+Coa/q2KySno/NSE=

EqcwLimUNlHX7XIJpPw=

4o6PAABl7uuAv5hHHpg0800k

hyQlbm+mh+3vqxn8

Targets

- Target
  
  Delay notice of M.V. KANWAY GLOBALV.2213S.scr.exe
- Size
  
  1.0MB
- MD5
  
  c8bd2fd6e2e7fc24eada83b44336f570
- SHA1
  
  d5ed0e54b839a3fcea2a912461f71aa3069eefde
- SHA256
  
  e4e4b8f8990f7ff711e1a238445dedaf74f4d01a10afa0c774705ff4412cbc10
- SHA512
  
  dc893cfbdd76f6dd9743f0948903839e6b95a01b2da66ccb9f3493a4324bc6ffe9ecdad31d4949d5e16dc81fcc842a6c5587a4f193e81619e55dae4f6dfdf5d7
- SSDEEP
  
  24576:I1S9JZiaRy0nJoOT5g7QD147cdgvuSp4O1BfX+FJ2SIv:IIvKkzTq61GcmxpnQJ2S
Score

10^/10

formbook xloader ruwn loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Xloader

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2