Overview

overview

10

Static

static

PO.exe

windows7-x64

10

PO.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Supplier Purchase Order - PO0001478.IMG

  • Size

    1.4MB

  • Sample

    221006-tftqnahgh5

  • MD5

    d249b300e781b2ab26bf437f3faae9f6

  • SHA1

    97498e1d2b96b061815d2259da370f60bebd7bbc

  • SHA256

    7eaf1a6ae44e94a0ec273a6d81953f18e74153c3754ca98a1c0d6a9b6db86a4e

  • SHA512

    41a1e93454e690378480468a0e887a4f7191fea68e864acf37ac033edb85bff6cb9eb6b3bd944f1a22ea0971093341858c794f3dd9215b2da50dcd52e15a919a

  • SSDEEP

    12288:4xbkZK42iNC09uuRhIIVblRcDiLkR36xf8Dd4iMEpbADqjJ5nX8:4Q1Su/TNLkR3C8yMjrX

Score
10/10
formbookxloaderr7cmloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

r7cm

Decoy

Aqo0+xUSgri27ldyZ1IaWBPkw2TbEQ==

ZP/9kCFZzmfUkIgyoIwLGN0oyTc0W48=

P7qnLdI7nN6gDmiHlXEhWMpEO1bq

kiQwcHqHlEJGQOj4

iVggF68HUwBY9PKDvfZn3A==

85Xs9wxBf2/YbUnFHEl+fc1rAg==

fhCkZ4mlBTh3+2ZcVz9EULpn

9oQEyAM7q6Vzd1r8I22h39m/faY=

gFymGrT7TLQCkGjkIfdyvStfDA==

Tca3AVmwHVB7f+7rLdF9iMg=

P74RFbEaU4ZMMOLcH8qN

89WjqBar7bhM

hWQ2NcoNYFDNclLkKdF9iMg=

87qLiitpbJ4q4w==

67iJmOzoR/xtC4284tK91gmbTHy5HwUt

4lhAfaucExf7HQR1vfZn3A==

aTp3x97xXGz4cqgmJg==

EqafII6PyzJ99xBztYoRSW5tFQ==

vUanrfkDKfpnG1+4LpY=

i0tqsoz0DcJA

Extracted

Family

xloader

Version

3.8

Campaign

r7cm

Decoy

Aqo0+xUSgri27ldyZ1IaWBPkw2TbEQ==

ZP/9kCFZzmfUkIgyoIwLGN0oyTc0W48=

P7qnLdI7nN6gDmiHlXEhWMpEO1bq

kiQwcHqHlEJGQOj4

iVggF68HUwBY9PKDvfZn3A==

85Xs9wxBf2/YbUnFHEl+fc1rAg==

fhCkZ4mlBTh3+2ZcVz9EULpn

9oQEyAM7q6Vzd1r8I22h39m/faY=

gFymGrT7TLQCkGjkIfdyvStfDA==

Tca3AVmwHVB7f+7rLdF9iMg=

P74RFbEaU4ZMMOLcH8qN

89WjqBar7bhM

hWQ2NcoNYFDNclLkKdF9iMg=

87qLiitpbJ4q4w==

67iJmOzoR/xtC4284tK91gmbTHy5HwUt

4lhAfaucExf7HQR1vfZn3A==

aTp3x97xXGz4cqgmJg==

EqafII6PyzJ99xBztYoRSW5tFQ==

vUanrfkDKfpnG1+4LpY=

i0tqsoz0DcJA

Targets

    • Target

      PO.EXE

    • Size

      874KB

    • MD5

      82e39fd79e80fb9e2a5d1083db4649c2

    • SHA1

      c0f5e1212746ea51b59d77ed7b18302c5ce76bcb

    • SHA256

      735e6e491fcd3f5b9b0d678584298a2167a52b279dfc72f20ade5c48eb68587b

    • SHA512

      f1f3e30c9fdd14c4771f931703dda252f68c9da93d4bec1e288a30de11f9cfe8e426785391d0c1b9e7b2d957b6ad10162a1153aa355170cf2cca0e6638b7313b

    • SSDEEP

      12288:7xbkZK42iNC09uuRhIIVblRcDiLkR36xf8Dd4iMEpbADqjJ5nX8:7Q1Su/TNLkR3C8yMjrX

    Score
    10/10
    formbookxloaderr7cmloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks