Overview

overview

10

Static

static

RFQ 97571784.exe

windows7-x64

10

RFQ 97571784.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ 97571784.exe

  • Size

    599KB

  • Sample

    221003-hsnvdsdhcn

  • MD5

    c74c07398f92eaca8cc4e773796d6497

  • SHA1

    cb61c996bb0b7b9fbb4e4baece2fa6e142436ee5

  • SHA256

    5eacddfba11e9ce3946802e55e8abb159eb51a3bd27c7a92a68b8b23dcee79c8

  • SHA512

    0aa0ac665bab40ee96d99ba2f38c329e9d707688ccb8f07e04728e88eb2aaf37d1d65eaab06ff43de1d616261a1ac10428630b16c2cabf2b232156d5cdfdda11

  • SSDEEP

    12288:dToPWBv/cpGrU3yp0vx7mRfPClpthYMdTr7+XPho:dTbBv5rUO2mhsNv7ePho

Score
10/10
formbookxloaderhzb3loaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

hzb3

Decoy

BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==

CEqdZb0KaOLLbWqrDVTgc20=

nBv0jSFiQHxtE6awQnm2

E1sGpCJYtB8ImaguUyF6yQ==

PMBND7LzJGZH7CXulclbs2c=

u9zzlFGDXo6LLbGwQnm2

SaJjLbtVlMgsP5ZQRj4=

wckwEbwBbKA2X3g=

rPxB8ePUxfu4pilu

S562QFeKY5P//qawQnm2

BkEfWXZuY3ihKW8=

ZanakqMxkP7VdNfWdD4FGDqF

PYYbtzdINC1J0OYzQCk=

Fmg9LBxaPQ==

4eXWfoC06yGAkQ0l+Txs2w==

n68j2X6+CIhsD5GiCMYBsHI=

hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE

X6PAVGfwPHihKW8=

7zn1tkuDaZ2FKbGwQnm2

lB0m5ghWsSmMpIUS8EBM31l/463cqQ==

Extracted

Family

xloader

Version

3.8

Campaign

hzb3

Decoy

BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==

CEqdZb0KaOLLbWqrDVTgc20=

nBv0jSFiQHxtE6awQnm2

E1sGpCJYtB8ImaguUyF6yQ==

PMBND7LzJGZH7CXulclbs2c=

u9zzlFGDXo6LLbGwQnm2

SaJjLbtVlMgsP5ZQRj4=

wckwEbwBbKA2X3g=

rPxB8ePUxfu4pilu

S562QFeKY5P//qawQnm2

BkEfWXZuY3ihKW8=

ZanakqMxkP7VdNfWdD4FGDqF

PYYbtzdINC1J0OYzQCk=

Fmg9LBxaPQ==

4eXWfoC06yGAkQ0l+Txs2w==

n68j2X6+CIhsD5GiCMYBsHI=

hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE

X6PAVGfwPHihKW8=

7zn1tkuDaZ2FKbGwQnm2

lB0m5ghWsSmMpIUS8EBM31l/463cqQ==

Targets

    • Target

      RFQ 97571784.exe

    • Size

      599KB

    • MD5

      c74c07398f92eaca8cc4e773796d6497

    • SHA1

      cb61c996bb0b7b9fbb4e4baece2fa6e142436ee5

    • SHA256

      5eacddfba11e9ce3946802e55e8abb159eb51a3bd27c7a92a68b8b23dcee79c8

    • SHA512

      0aa0ac665bab40ee96d99ba2f38c329e9d707688ccb8f07e04728e88eb2aaf37d1d65eaab06ff43de1d616261a1ac10428630b16c2cabf2b232156d5cdfdda11

    • SSDEEP

      12288:dToPWBv/cpGrU3yp0vx7mRfPClpthYMdTr7+XPho:dTbBv5rUO2mhsNv7ePho

    Score
    10/10
    formbookhzb3ratspywarestealertrojanxloaderloader

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks