formbook

General

Target

7241c4a2af9e08ca229912f6c95c72fe.exe
Size

475KB
Sample

220930-mjs5zaebem
MD5

7241c4a2af9e08ca229912f6c95c72fe
SHA1

2cdc9f81881cb3bfb7a825bb7c8608922a5ee311
SHA256

efb10cca23c4ed132ed9e516dee40bb2906696b91983947507cd05cb9561f6b3
SHA512

b200d33df0abf7b1dd0462a6c1a6f26f70146cc50c0976c5734b3777290e5b36462cb59f903952f6d22ce22fecf85b64da2328b8f4d5d290cce49fe1834acf53
SSDEEP

6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/vOpBjhttFujz1rp/nkQ060AtH15Wc0:lToPWBv/cpGrU3y8tGvo18X/XZn5X0

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

u8ow

Decoy

j5a7vTwyeK/qHg==

M2qzs6QwZ5sVSqCc

7KoU1t9NdRnqZ8ML+cB8x38C

pgeKvdoqNNao7Cr94QiDuw==

/QZJhRORtafU/zeqK4o+

2JvqeTAGpQBYdqgXoA4=

5zJ7fa0A0PgCFA==

cnq44WjiBQ5VfKgXoA4=

oAp6hcdNVbr2NaHk4QiDuw==

Z/w2v4V/zV8aVoFnW0zzSt6hYjbD

WJ74K7ehJCNed6gXoA4=

hCRY0pmWSLhPzeTztw==

ZNhbVFvL8KKYyj2udtFXr3U8T6LZeQ==

ur75Bj2XjwVNhAGA

BlhiocrRF/kDFg==

aQY19Du631WFpEg=

yGCGEReSv1T1JVmWfHwp

cvso1tUbJeLrMlhjg4Z8x38C

XmTsffB+q25IYuOWfHwp

ry8fNm8E0PgCFA==

Extracted

Family

xloader

Version

3.5

Campaign

u8ow

Decoy

j5a7vTwyeK/qHg==

M2qzs6QwZ5sVSqCc

7KoU1t9NdRnqZ8ML+cB8x38C

pgeKvdoqNNao7Cr94QiDuw==

/QZJhRORtafU/zeqK4o+

2JvqeTAGpQBYdqgXoA4=

5zJ7fa0A0PgCFA==

cnq44WjiBQ5VfKgXoA4=

oAp6hcdNVbr2NaHk4QiDuw==

Z/w2v4V/zV8aVoFnW0zzSt6hYjbD

WJ74K7ehJCNed6gXoA4=

hCRY0pmWSLhPzeTztw==

ZNhbVFvL8KKYyj2udtFXr3U8T6LZeQ==

ur75Bj2XjwVNhAGA

BlhiocrRF/kDFg==

aQY19Du631WFpEg=

yGCGEReSv1T1JVmWfHwp

cvso1tUbJeLrMlhjg4Z8x38C

XmTsffB+q25IYuOWfHwp

ry8fNm8E0PgCFA==

Targets

- Target
  
  7241c4a2af9e08ca229912f6c95c72fe.exe
- Size
  
  475KB
- MD5
  
  7241c4a2af9e08ca229912f6c95c72fe
- SHA1
  
  2cdc9f81881cb3bfb7a825bb7c8608922a5ee311
- SHA256
  
  efb10cca23c4ed132ed9e516dee40bb2906696b91983947507cd05cb9561f6b3
- SHA512
  
  b200d33df0abf7b1dd0462a6c1a6f26f70146cc50c0976c5734b3777290e5b36462cb59f903952f6d22ce22fecf85b64da2328b8f4d5d290cce49fe1834acf53
- SSDEEP
  
  6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/vOpBjhttFujz1rp/nkQ060AtH15Wc0:lToPWBv/cpGrU3y8tGvo18X/XZn5X0
Score

10^/10

formbook xloader u8ow loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Xloader

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2