General

  • Target

    2022FHS0927.exe

  • Size

    559KB

  • Sample

    220930-n3y11aedcn

  • MD5

    1af80199193f11910eb4011b3fddd893

  • SHA1

    c4fa00704232f0d10234c8dbde7f8f6d367e3043

  • SHA256

    88c13fcf3ec81929d9bf994b5b9e44fed8d59e22074142843db649d9ff2baaba

  • SHA512

    60e854f79b1c637282648a8ea0c86dc680974755180a291967e873885284060184b03175d66641d088e47656d7eef2147e31e5ef113dd246249987daf2865e74

  • SSDEEP

    12288:HToPWBv/cpGrU3yxlfmWiUkVdxi5FUvc+tIK6Y2:HTbBv5rUsfmVri5Sk+aK6n

Malware Config

Extracted

Family

formbook

Campaign

i65a

Decoy

r00zzvD9uoqMkFT8XDSqPg==

iSMQDJ3Tyuj8KXflBw==

Gq+tYoFrGU/5B4gGNnzHNg==

wEwcynSwpynZKUFhqyIK

bw3PbrjowhAVJA==

TggEt9LuwhAVJA==

r0UqC6sxgcWN7vc=

0m+fwBgf0oyehByUtx51BsBkuj8=

dhtdWWyIhRatp2dpv8tPcJoQ

jTAw4/4TCwcXjpECXDSqPg==

aglx4nPPkGp/raeivGVOfzdbFIu4

+qXr4cAGtQJm7Mf6

sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=

E6ohOo2zadVgzLIfaWALaik=

wXwu0yo/KbNm7Mf6

EcoyojCJYKg1laCuBK+exkNbFIu4

bhZgFvj6yP+R4F+0/5S/oFMpAA==

rzlylCB1NIMabG2dzGQd

+5ngCKjwwhAVJA==

AMUtZrYh+0LPL/QyfSo=

Extracted

Family

xloader

Version

3.8

Campaign

i65a

Decoy

r00zzvD9uoqMkFT8XDSqPg==

iSMQDJ3Tyuj8KXflBw==

Gq+tYoFrGU/5B4gGNnzHNg==

wEwcynSwpynZKUFhqyIK

bw3PbrjowhAVJA==

TggEt9LuwhAVJA==

r0UqC6sxgcWN7vc=

0m+fwBgf0oyehByUtx51BsBkuj8=

dhtdWWyIhRatp2dpv8tPcJoQ

jTAw4/4TCwcXjpECXDSqPg==

aglx4nPPkGp/raeivGVOfzdbFIu4

+qXr4cAGtQJm7Mf6

sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=

E6ohOo2zadVgzLIfaWALaik=

wXwu0yo/KbNm7Mf6

EcoyojCJYKg1laCuBK+exkNbFIu4

bhZgFvj6yP+R4F+0/5S/oFMpAA==

rzlylCB1NIMabG2dzGQd

+5ngCKjwwhAVJA==

AMUtZrYh+0LPL/QyfSo=

Targets

    • Target

      2022FHS0927.exe

    • Size

      559KB

    • MD5

      1af80199193f11910eb4011b3fddd893

    • SHA1

      c4fa00704232f0d10234c8dbde7f8f6d367e3043

    • SHA256

      88c13fcf3ec81929d9bf994b5b9e44fed8d59e22074142843db649d9ff2baaba

    • SHA512

      60e854f79b1c637282648a8ea0c86dc680974755180a291967e873885284060184b03175d66641d088e47656d7eef2147e31e5ef113dd246249987daf2865e74

    • SSDEEP

      12288:HToPWBv/cpGrU3yxlfmWiUkVdxi5FUvc+tIK6Y2:HTbBv5rUsfmVri5Sk+aK6n

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation

                      Tasks