Malware sandboxing report by Hatching Triage

General

Target

2022FHS0927.exe
Size

559KB
Sample

220930-n3y11aedcn
MD5

1af80199193f11910eb4011b3fddd893
SHA1

c4fa00704232f0d10234c8dbde7f8f6d367e3043
SHA256

88c13fcf3ec81929d9bf994b5b9e44fed8d59e22074142843db649d9ff2baaba
SHA512

60e854f79b1c637282648a8ea0c86dc680974755180a291967e873885284060184b03175d66641d088e47656d7eef2147e31e5ef113dd246249987daf2865e74
SSDEEP

12288:HToPWBv/cpGrU3yxlfmWiUkVdxi5FUvc+tIK6Y2:HTbBv5rUsfmVri5Sk+aK6n

Score

10^/10

Malware Config

Extracted

Family	formbook
Campaign	i65a
Decoy	r00zzvD9uoqMkFT8XDSqPg== iSMQDJ3Tyuj8KXflBw== Gq+tYoFrGU/5B4gGNnzHNg== wEwcynSwpynZKUFhqyIK bw3PbrjowhAVJA== TggEt9LuwhAVJA== r0UqC6sxgcWN7vc= 0m+fwBgf0oyehByUtx51BsBkuj8= dhtdWWyIhRatp2dpv8tPcJoQ jTAw4/4TCwcXjpECXDSqPg== aglx4nPPkGp/raeivGVOfzdbFIu4 +qXr4cAGtQJm7Mf6 sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8= E6ohOo2zadVgzLIfaWALaik= wXwu0yo/KbNm7Mf6 EcoyojCJYKg1laCuBK+exkNbFIu4 bhZgFvj6yP+R4F+0/5S/oFMpAA== rzlylCB1NIMabG2dzGQd +5ngCKjwwhAVJA== AMUtZrYh+0LPL/QyfSo= hzqw1O4JApAae41vjXUOeC8= C7guqfg0PD5dvVf4DQ== BsM1AaksgMWN7vc= 5pcGLkVbBUPPL/QyfSo= TvMO/UKDdcWN7vc= fCNJYrrKfTprvVf4DQ== 5rfNvNbPhEFrvVf4DQ== 9717JcIR+w4iNgKcr91It5f448HcIA== Wfo2UPQmr3SeAgqCx+ihjjsY Svg8XfRAHZ5DvXj4EA== TuXg5TNpdh6yCOmt0pkeNaKCuzc= fjn46QYnKM4w0+g= WRV/AkxH/M7NzFzkCw91Zpz048HcIA== Bo6ILlHigRGpGJRgtPd6WQFsGA== ZCdTYvhSBMTjO0mpy+ihjjsY Vg104XmxSn8DTRA2YCA= fBmNxO/pwkHXAKalv3UOeC8= 2YL6LEtrcsyquo2wz3ahjjsY iC2cyuTQsS3KHymco5LiuXXRdYc9KA== JvGrI2XdqxWjoPQyfSo= NMuVRIiBW1Nhjn9zgw3PwEJbFIu4 7KsjVqn0meiO7MVyjXUOeC8= XvgsVPgmHCtBPPXC7IhcycBkuj8= HsE0cZF7K+0KXVC4yexV8KqiJAA0Yi8= ZA9olK7JxkTg6q7/TenoBXFnljPD7XGx PvN6Nk9THuEFRZYCFA== cx/LcM3luPqVmxJ+jhMI smWwq8nUo09jvVf4DQ== aBnnX3Z7RIQqQsRdhz0= 8o1CKXiwmgZm7Mf6 s2NR7g0vRFBRp3VhqyIK DLYGcptChcWN7vc= 0GEVmuU0F1jkMfQyfSo= s1Kiy26yq6+H9spyinUOeC8= CZxV2PHhkdRu/ewuGg== y8Xu3/EguTvj ulTCKLYf9ULaNPQyfSo= 1Yl0JHHbnlR3eAp4uepO8u5YFRkKjVNu8Q== V+zu64nHc059gzjoEtXhkxEB dQkau9PuwhAVJA== NMYypu3zqoGsllajzOShjjsY Wxkhx+n/zcWN7vc= 74dZAaju4XcRfFR3kzM= u3R6gBVPPDpcvVf4DQ== partnermdg.com r00zzvD9uoqMkFT8XDSqPg== iSMQDJ3Tyuj8KXflBw== Gq+tYoFrGU/5B4gGNnzHNg== wEwcynSwpynZKUFhqyIK bw3PbrjowhAVJA== TggEt9LuwhAVJA== r0UqC6sxgcWN7vc= 0m+fwBgf0oyehByUtx51BsBkuj8= dhtdWWyIhRatp2dpv8tPcJoQ jTAw4/4TCwcXjpECXDSqPg== aglx4nPPkGp/raeivGVOfzdbFIu4 +qXr4cAGtQJm7Mf6 sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8= E6ohOo2zadVgzLIfaWALaik= wXwu0yo/KbNm7Mf6 EcoyojCJYKg1laCuBK+exkNbFIu4 bhZgFvj6yP+R4F+0/5S/oFMpAA== rzlylCB1NIMabG2dzGQd +5ngCKjwwhAVJA== AMUtZrYh+0LPL/QyfSo= hzqw1O4JApAae41vjXUOeC8= C7guqfg0PD5dvVf4DQ== BsM1AaksgMWN7vc= 5pcGLkVbBUPPL/QyfSo= TvMO/UKDdcWN7vc= fCNJYrrKfTprvVf4DQ== 5rfNvNbPhEFrvVf4DQ== 9717JcIR+w4iNgKcr91It5f448HcIA== Wfo2UPQmr3SeAgqCx+ihjjsY Svg8XfRAHZ5DvXj4EA== TuXg5TNpdh6yCOmt0pkeNaKCuzc= fjn46QYnKM4w0+g= WRV/AkxH/M7NzFzkCw91Zpz048HcIA== Bo6ILlHigRGpGJRgtPd6WQFsGA== ZCdTYvhSBMTjO0mpy+ihjjsY Vg104XmxSn8DTRA2YCA= fBmNxO/pwkHXAKalv3UOeC8= 2YL6LEtrcsyquo2wz3ahjjsY iC2cyuTQsS3KHymco5LiuXXRdYc9KA== JvGrI2XdqxWjoPQyfSo= NMuVRIiBW1Nhjn9zgw3PwEJbFIu4 7KsjVqn0meiO7MVyjXUOeC8= XvgsVPgmHCtBPPXC7IhcycBkuj8= HsE0cZF7K+0KXVC4yexV8KqiJAA0Yi8= ZA9olK7JxkTg6q7/TenoBXFnljPD7XGx PvN6Nk9THuEFRZYCFA== cx/LcM3luPqVmxJ+jhMI smWwq8nUo09jvVf4DQ== aBnnX3Z7RIQqQsRdhz0= 8o1CKXiwmgZm7Mf6 s2NR7g0vRFBRp3VhqyIK DLYGcptChcWN7vc= 0GEVmuU0F1jkMfQyfSo= s1Kiy26yq6+H9spyinUOeC8= CZxV2PHhkdRu/ewuGg== y8Xu3/EguTvj ulTCKLYf9ULaNPQyfSo= 1Yl0JHHbnlR3eAp4uepO8u5YFRkKjVNu8Q== V+zu64nHc059gzjoEtXhkxEB dQkau9PuwhAVJA== NMYypu3zqoGsllajzOShjjsY Wxkhx+n/zcWN7vc= 74dZAaju4XcRfFR3kzM= u3R6gBVPPDpcvVf4DQ== partnermdg.com

Extracted

Family	xloader
Version	3.8
Campaign	i65a
Decoy	r00zzvD9uoqMkFT8XDSqPg== iSMQDJ3Tyuj8KXflBw== Gq+tYoFrGU/5B4gGNnzHNg== wEwcynSwpynZKUFhqyIK bw3PbrjowhAVJA== TggEt9LuwhAVJA== r0UqC6sxgcWN7vc= 0m+fwBgf0oyehByUtx51BsBkuj8= dhtdWWyIhRatp2dpv8tPcJoQ jTAw4/4TCwcXjpECXDSqPg== aglx4nPPkGp/raeivGVOfzdbFIu4 +qXr4cAGtQJm7Mf6 sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8= E6ohOo2zadVgzLIfaWALaik= wXwu0yo/KbNm7Mf6 EcoyojCJYKg1laCuBK+exkNbFIu4 bhZgFvj6yP+R4F+0/5S/oFMpAA== rzlylCB1NIMabG2dzGQd +5ngCKjwwhAVJA== AMUtZrYh+0LPL/QyfSo= hzqw1O4JApAae41vjXUOeC8= C7guqfg0PD5dvVf4DQ== BsM1AaksgMWN7vc= 5pcGLkVbBUPPL/QyfSo= TvMO/UKDdcWN7vc= fCNJYrrKfTprvVf4DQ== 5rfNvNbPhEFrvVf4DQ== 9717JcIR+w4iNgKcr91It5f448HcIA== Wfo2UPQmr3SeAgqCx+ihjjsY Svg8XfRAHZ5DvXj4EA== TuXg5TNpdh6yCOmt0pkeNaKCuzc= fjn46QYnKM4w0+g= WRV/AkxH/M7NzFzkCw91Zpz048HcIA== Bo6ILlHigRGpGJRgtPd6WQFsGA== ZCdTYvhSBMTjO0mpy+ihjjsY Vg104XmxSn8DTRA2YCA= fBmNxO/pwkHXAKalv3UOeC8= 2YL6LEtrcsyquo2wz3ahjjsY iC2cyuTQsS3KHymco5LiuXXRdYc9KA== JvGrI2XdqxWjoPQyfSo= NMuVRIiBW1Nhjn9zgw3PwEJbFIu4 7KsjVqn0meiO7MVyjXUOeC8= XvgsVPgmHCtBPPXC7IhcycBkuj8= HsE0cZF7K+0KXVC4yexV8KqiJAA0Yi8= ZA9olK7JxkTg6q7/TenoBXFnljPD7XGx PvN6Nk9THuEFRZYCFA== cx/LcM3luPqVmxJ+jhMI smWwq8nUo09jvVf4DQ== aBnnX3Z7RIQqQsRdhz0= 8o1CKXiwmgZm7Mf6 s2NR7g0vRFBRp3VhqyIK DLYGcptChcWN7vc= 0GEVmuU0F1jkMfQyfSo= s1Kiy26yq6+H9spyinUOeC8= CZxV2PHhkdRu/ewuGg== y8Xu3/EguTvj ulTCKLYf9ULaNPQyfSo= 1Yl0JHHbnlR3eAp4uepO8u5YFRkKjVNu8Q== V+zu64nHc059gzjoEtXhkxEB dQkau9PuwhAVJA== NMYypu3zqoGsllajzOShjjsY Wxkhx+n/zcWN7vc= 74dZAaju4XcRfFR3kzM= u3R6gBVPPDpcvVf4DQ== partnermdg.com r00zzvD9uoqMkFT8XDSqPg== iSMQDJ3Tyuj8KXflBw== Gq+tYoFrGU/5B4gGNnzHNg== wEwcynSwpynZKUFhqyIK bw3PbrjowhAVJA== TggEt9LuwhAVJA== r0UqC6sxgcWN7vc= 0m+fwBgf0oyehByUtx51BsBkuj8= dhtdWWyIhRatp2dpv8tPcJoQ jTAw4/4TCwcXjpECXDSqPg== aglx4nPPkGp/raeivGVOfzdbFIu4 +qXr4cAGtQJm7Mf6 sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8= E6ohOo2zadVgzLIfaWALaik= wXwu0yo/KbNm7Mf6 EcoyojCJYKg1laCuBK+exkNbFIu4 bhZgFvj6yP+R4F+0/5S/oFMpAA== rzlylCB1NIMabG2dzGQd +5ngCKjwwhAVJA== AMUtZrYh+0LPL/QyfSo= hzqw1O4JApAae41vjXUOeC8= C7guqfg0PD5dvVf4DQ== BsM1AaksgMWN7vc= 5pcGLkVbBUPPL/QyfSo= TvMO/UKDdcWN7vc= fCNJYrrKfTprvVf4DQ== 5rfNvNbPhEFrvVf4DQ== 9717JcIR+w4iNgKcr91It5f448HcIA== Wfo2UPQmr3SeAgqCx+ihjjsY Svg8XfRAHZ5DvXj4EA== TuXg5TNpdh6yCOmt0pkeNaKCuzc= fjn46QYnKM4w0+g= WRV/AkxH/M7NzFzkCw91Zpz048HcIA== Bo6ILlHigRGpGJRgtPd6WQFsGA== ZCdTYvhSBMTjO0mpy+ihjjsY Vg104XmxSn8DTRA2YCA= fBmNxO/pwkHXAKalv3UOeC8= 2YL6LEtrcsyquo2wz3ahjjsY iC2cyuTQsS3KHymco5LiuXXRdYc9KA== JvGrI2XdqxWjoPQyfSo= NMuVRIiBW1Nhjn9zgw3PwEJbFIu4 7KsjVqn0meiO7MVyjXUOeC8= XvgsVPgmHCtBPPXC7IhcycBkuj8= HsE0cZF7K+0KXVC4yexV8KqiJAA0Yi8= ZA9olK7JxkTg6q7/TenoBXFnljPD7XGx PvN6Nk9THuEFRZYCFA== cx/LcM3luPqVmxJ+jhMI smWwq8nUo09jvVf4DQ== aBnnX3Z7RIQqQsRdhz0= 8o1CKXiwmgZm7Mf6 s2NR7g0vRFBRp3VhqyIK DLYGcptChcWN7vc= 0GEVmuU0F1jkMfQyfSo= s1Kiy26yq6+H9spyinUOeC8= CZxV2PHhkdRu/ewuGg== y8Xu3/EguTvj ulTCKLYf9ULaNPQyfSo= 1Yl0JHHbnlR3eAp4uepO8u5YFRkKjVNu8Q== V+zu64nHc059gzjoEtXhkxEB dQkau9PuwhAVJA== NMYypu3zqoGsllajzOShjjsY Wxkhx+n/zcWN7vc= 74dZAaju4XcRfFR3kzM= u3R6gBVPPDpcvVf4DQ== partnermdg.com

Targets

- Target
  
  2022FHS0927.exe
- Size
  
  559KB
- MD5
  
  1af80199193f11910eb4011b3fddd893
- SHA1
  
  c4fa00704232f0d10234c8dbde7f8f6d367e3043
- SHA256
  
  88c13fcf3ec81929d9bf994b5b9e44fed8d59e22074142843db649d9ff2baaba
- SHA512
  
  60e854f79b1c637282648a8ea0c86dc680974755180a291967e873885284060184b03175d66641d088e47656d7eef2147e31e5ef113dd246249987daf2865e74
- SSDEEP
  
  12288:HToPWBv/cpGrU3yxlfmWiUkVdxi5FUvc+tIK6Y2:HTbBv5rUsfmVri5Sk+aK6n
Score

10^/10

formbook xloader i65a loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

Score

N/A

behavioral1

formbookxloaderi65aloaderratspywarestealertrojan

Score

10^/10

Sharing

General

Malware Config

Extracted

Extracted

Targets

Formbook

Xloader

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1