General

  • Target

    SOA_Invoice_04930.exe

  • Size

    620KB

  • Sample

    221004-mxzjxaafc2

  • MD5

    e980fe4c7833022bb80b70abdda382de

  • SHA1

    8d82c1696df13202dc4d41f23c6df7f5fe18abee

  • SHA256

    8a9a70ca1dd6bd611d2b77bf233ab14f62b259d510973722a1381c237b4980f9

  • SHA512

    72ab8d6ce9e55266a45d60f046ec44df1ab51c6ff20e8f0a8376285921672f9efad57c22a52d2962556dd228d18b28e3d16dc8c3266f0837745ac9f089d5d68f

  • SSDEEP

    12288:NToPWBv/cpGrU3ypp8sGT72T4g+mtCYd/1l1fS7:NTbBv5rUOysGf2kxgN9fQ

Malware Config

Extracted

Family

formbook

Campaign

hzb3

Decoy

BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==

CEqdZb0KaOLLbWqrDVTgc20=

nBv0jSFiQHxtE6awQnm2

E1sGpCJYtB8ImaguUyF6yQ==

PMBND7LzJGZH7CXulclbs2c=

u9zzlFGDXo6LLbGwQnm2

SaJjLbtVlMgsP5ZQRj4=

wckwEbwBbKA2X3g=

rPxB8ePUxfu4pilu

S562QFeKY5P//qawQnm2

BkEfWXZuY3ihKW8=

ZanakqMxkP7VdNfWdD4FGDqF

PYYbtzdINC1J0OYzQCk=

Fmg9LBxaPQ==

4eXWfoC06yGAkQ0l+Txs2w==

n68j2X6+CIhsD5GiCMYBsHI=

hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE

X6PAVGfwPHihKW8=

7zn1tkuDaZ2FKbGwQnm2

lB0m5ghWsSmMpIUS8EBM31l/463cqQ==

Extracted

Family

xloader

Version

3.8

Campaign

hzb3

Decoy

BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==

CEqdZb0KaOLLbWqrDVTgc20=

nBv0jSFiQHxtE6awQnm2

E1sGpCJYtB8ImaguUyF6yQ==

PMBND7LzJGZH7CXulclbs2c=

u9zzlFGDXo6LLbGwQnm2

SaJjLbtVlMgsP5ZQRj4=

wckwEbwBbKA2X3g=

rPxB8ePUxfu4pilu

S562QFeKY5P//qawQnm2

BkEfWXZuY3ihKW8=

ZanakqMxkP7VdNfWdD4FGDqF

PYYbtzdINC1J0OYzQCk=

Fmg9LBxaPQ==

4eXWfoC06yGAkQ0l+Txs2w==

n68j2X6+CIhsD5GiCMYBsHI=

hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE

X6PAVGfwPHihKW8=

7zn1tkuDaZ2FKbGwQnm2

lB0m5ghWsSmMpIUS8EBM31l/463cqQ==

Targets

    • Target

      SOA_Invoice_04930.exe

    • Size

      620KB

    • MD5

      e980fe4c7833022bb80b70abdda382de

    • SHA1

      8d82c1696df13202dc4d41f23c6df7f5fe18abee

    • SHA256

      8a9a70ca1dd6bd611d2b77bf233ab14f62b259d510973722a1381c237b4980f9

    • SHA512

      72ab8d6ce9e55266a45d60f046ec44df1ab51c6ff20e8f0a8376285921672f9efad57c22a52d2962556dd228d18b28e3d16dc8c3266f0837745ac9f089d5d68f

    • SSDEEP

      12288:NToPWBv/cpGrU3ypp8sGT72T4g+mtCYd/1l1fS7:NTbBv5rUOysGf2kxgN9fQ

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks