Overview

overview

10

Static

static

Scan_Pictures.exe

windows7-x64

10

Scan_Pictures.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scan_Pictures.exe

  • Size

    592KB

  • Sample

    221005-mc32laecan

  • MD5

    f8581e56190bf92b20e26c241676fb7e

  • SHA1

    21efc7fc501affed54cf4eeb9842a283a16fa4a1

  • SHA256

    8bdd8e2b3d91d21ea2cad77027b0a8b88f9d7d1ec2733b86c1c664bcd847b81d

  • SHA512

    4a1c96a7480a538bda2fb129e25d1382d0d0042cdeb44c4491b1a7b5ec63614acb5ef776d0fbe844d22620b1f801154a19ae714414cf6bcdb3b2ce1d1cad6784

  • SSDEEP

    12288:nToPWBv/cpGrU3yp9uQmvCduEnTImJ6Uav+:nTbBv5rUOtmvCd7Xav+

Score
10/10
formbookxloaderhzb3loaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

hzb3

Decoy

BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==

CEqdZb0KaOLLbWqrDVTgc20=

nBv0jSFiQHxtE6awQnm2

E1sGpCJYtB8ImaguUyF6yQ==

PMBND7LzJGZH7CXulclbs2c=

u9zzlFGDXo6LLbGwQnm2

SaJjLbtVlMgsP5ZQRj4=

wckwEbwBbKA2X3g=

rPxB8ePUxfu4pilu

S562QFeKY5P//qawQnm2

BkEfWXZuY3ihKW8=

ZanakqMxkP7VdNfWdD4FGDqF

PYYbtzdINC1J0OYzQCk=

Fmg9LBxaPQ==

4eXWfoC06yGAkQ0l+Txs2w==

n68j2X6+CIhsD5GiCMYBsHI=

hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE

X6PAVGfwPHihKW8=

7zn1tkuDaZ2FKbGwQnm2

lB0m5ghWsSmMpIUS8EBM31l/463cqQ==

Extracted

Family

xloader

Version

3.8

Campaign

hzb3

Decoy

BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==

CEqdZb0KaOLLbWqrDVTgc20=

nBv0jSFiQHxtE6awQnm2

E1sGpCJYtB8ImaguUyF6yQ==

PMBND7LzJGZH7CXulclbs2c=

u9zzlFGDXo6LLbGwQnm2

SaJjLbtVlMgsP5ZQRj4=

wckwEbwBbKA2X3g=

rPxB8ePUxfu4pilu

S562QFeKY5P//qawQnm2

BkEfWXZuY3ihKW8=

ZanakqMxkP7VdNfWdD4FGDqF

PYYbtzdINC1J0OYzQCk=

Fmg9LBxaPQ==

4eXWfoC06yGAkQ0l+Txs2w==

n68j2X6+CIhsD5GiCMYBsHI=

hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE

X6PAVGfwPHihKW8=

7zn1tkuDaZ2FKbGwQnm2

lB0m5ghWsSmMpIUS8EBM31l/463cqQ==

Targets

    • Target

      Scan_Pictures.exe

    • Size

      592KB

    • MD5

      f8581e56190bf92b20e26c241676fb7e

    • SHA1

      21efc7fc501affed54cf4eeb9842a283a16fa4a1

    • SHA256

      8bdd8e2b3d91d21ea2cad77027b0a8b88f9d7d1ec2733b86c1c664bcd847b81d

    • SHA512

      4a1c96a7480a538bda2fb129e25d1382d0d0042cdeb44c4491b1a7b5ec63614acb5ef776d0fbe844d22620b1f801154a19ae714414cf6bcdb3b2ce1d1cad6784

    • SSDEEP

      12288:nToPWBv/cpGrU3yp9uQmvCduEnTImJ6Uav+:nTbBv5rUOtmvCd7Xav+

    Score
    10/10
    formbookxloaderhzb3loaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks