formbook

General

Target

SecuriteInfo.com.W32.MSIL_Kryptik.HWH.gen.Eldorado.6297.19796.exe
Size

394KB
Sample

221005-t6jclsehd5
MD5

76c787ad6fcdf9837f504da49b1083a8
SHA1

005a62cee55c5a6cf41bb1bf7587fecd3febd0b4
SHA256

5b52a42deff51ac5f3ef8120f65d103435bf45656e35812eefaaf889548afebe
SHA512

e3f4e019ce64000a09f7015730cfa7d7654e6fb93814d01fcc0d180ea11ef2e9b25698f50563a1b4c6e0cee56e2e727a7357bc9cd44b890e2c11e1347d11b547
SSDEEP

6144:XUc84mkngTGenJItK1Vv2WAJPjtPki+sX/c1CVdKrL36XLoJ8Lb7:q4mknZO4UD+tPgsX/c1Ci/36bB7

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

nrln

Decoy

IG7zJSm49UqTTuu/N/oTCIg=

CVLdAPgw0CRSMuZnRRU=

PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG

5i6p4GeQqtBgNRfGNQ==

5984keYswxh8mGZHz4ipAHtQ

VNJaK4Gh0CrOvHpW/p353A==

71rEtrL2icToyKGhcWrTxjsFU5T98zeO

r3q1sy1iZaL+2XIUAob7yw==

9+83Qkrk/vV/jVXsDvoTCIg=

aMFAgYF1prov8/UErH/Y1A==

Alqtx/0rxwEbCLdudftl

ImCbnglBSUHF0mv2tTSP40bPeYao

s4DFNvAJ4GIJ+g==

phOa6mtS8QQICuZnRRU=

7TSu5vqRtB45EZtf4WDSTBHPeYao

ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=

HF7jKjbGox2SAffTPw==

yAM3mOQot5l+cD0ikR5MGp8=

UYzW0/8z70JcQenVLidu1kLPeYao

OoCznp5UWz+hT9OBFXbfVhXPeYao

Extracted

Family

xloader

Version

3.8

Campaign

nrln

Decoy

IG7zJSm49UqTTuu/N/oTCIg=

CVLdAPgw0CRSMuZnRRU=

PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG

5i6p4GeQqtBgNRfGNQ==

5984keYswxh8mGZHz4ipAHtQ

VNJaK4Gh0CrOvHpW/p353A==

71rEtrL2icToyKGhcWrTxjsFU5T98zeO

r3q1sy1iZaL+2XIUAob7yw==

9+83Qkrk/vV/jVXsDvoTCIg=

aMFAgYF1prov8/UErH/Y1A==

Alqtx/0rxwEbCLdudftl

ImCbnglBSUHF0mv2tTSP40bPeYao

s4DFNvAJ4GIJ+g==

phOa6mtS8QQICuZnRRU=

7TSu5vqRtB45EZtf4WDSTBHPeYao

ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=

HF7jKjbGox2SAffTPw==

yAM3mOQot5l+cD0ikR5MGp8=

UYzW0/8z70JcQenVLidu1kLPeYao

OoCznp5UWz+hT9OBFXbfVhXPeYao

Targets

- Target
  
  SecuriteInfo.com.W32.MSIL_Kryptik.HWH.gen.Eldorado.6297.19796.exe
- Size
  
  394KB
- MD5
  
  76c787ad6fcdf9837f504da49b1083a8
- SHA1
  
  005a62cee55c5a6cf41bb1bf7587fecd3febd0b4
- SHA256
  
  5b52a42deff51ac5f3ef8120f65d103435bf45656e35812eefaaf889548afebe
- SHA512
  
  e3f4e019ce64000a09f7015730cfa7d7654e6fb93814d01fcc0d180ea11ef2e9b25698f50563a1b4c6e0cee56e2e727a7357bc9cd44b890e2c11e1347d11b547
- SSDEEP
  
  6144:XUc84mkngTGenJItK1Vv2WAJPjtPki+sX/c1CVdKrL36XLoJ8Lb7:q4mknZO4UD+tPgsX/c1Ci/36bB7
Score

10^/10

formbook xloader nrln loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

Xloader

Drops startup file

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2