Overview

overview

10

Static

static

scan_pictures.exe

windows7-x64

10

scan_pictures.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    scan_pictures.exe

  • Size

    370KB

  • Sample

    221007-lhlttscag6

  • MD5

    8de66376e7ec767b186df680b27a9333

  • SHA1

    73ed9713241c33e165dd3909abf94e22f4b7f39d

  • SHA256

    4eaa6cbb07ff01de61ba87d140ca4dcd5c4054f9796bc6c15e6946ef484991ff

  • SHA512

    4d3368695962783cc563be9a783dfa3a07e11d259f8eda4be3a6d4362226eb3e343f699b24bdc985a709bc9533fff2fb189c160dbb65e3d5333b1b77a4640160

  • SSDEEP

    6144:ANeZHRxXIP0knr07RTMjZJeurnQB2uDG8d7bjYNDUo0xIjgMyHdCwEzxIS9Onnkv:ANOk8RuZtsBbDG8d73VIcM7t9+njAs6n

Score
10/10
formbookxloaderhzb3loaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

hzb3

Decoy

BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==

CEqdZb0KaOLLbWqrDVTgc20=

nBv0jSFiQHxtE6awQnm2

E1sGpCJYtB8ImaguUyF6yQ==

PMBND7LzJGZH7CXulclbs2c=

u9zzlFGDXo6LLbGwQnm2

SaJjLbtVlMgsP5ZQRj4=

wckwEbwBbKA2X3g=

rPxB8ePUxfu4pilu

S562QFeKY5P//qawQnm2

BkEfWXZuY3ihKW8=

ZanakqMxkP7VdNfWdD4FGDqF

PYYbtzdINC1J0OYzQCk=

Fmg9LBxaPQ==

4eXWfoC06yGAkQ0l+Txs2w==

n68j2X6+CIhsD5GiCMYBsHI=

hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE

X6PAVGfwPHihKW8=

7zn1tkuDaZ2FKbGwQnm2

lB0m5ghWsSmMpIUS8EBM31l/463cqQ==

Extracted

Family

xloader

Version

3.8

Campaign

hzb3

Decoy

BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==

CEqdZb0KaOLLbWqrDVTgc20=

nBv0jSFiQHxtE6awQnm2

E1sGpCJYtB8ImaguUyF6yQ==

PMBND7LzJGZH7CXulclbs2c=

u9zzlFGDXo6LLbGwQnm2

SaJjLbtVlMgsP5ZQRj4=

wckwEbwBbKA2X3g=

rPxB8ePUxfu4pilu

S562QFeKY5P//qawQnm2

BkEfWXZuY3ihKW8=

ZanakqMxkP7VdNfWdD4FGDqF

PYYbtzdINC1J0OYzQCk=

Fmg9LBxaPQ==

4eXWfoC06yGAkQ0l+Txs2w==

n68j2X6+CIhsD5GiCMYBsHI=

hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE

X6PAVGfwPHihKW8=

7zn1tkuDaZ2FKbGwQnm2

lB0m5ghWsSmMpIUS8EBM31l/463cqQ==

Targets

    • Target

      scan_pictures.exe

    • Size

      370KB

    • MD5

      8de66376e7ec767b186df680b27a9333

    • SHA1

      73ed9713241c33e165dd3909abf94e22f4b7f39d

    • SHA256

      4eaa6cbb07ff01de61ba87d140ca4dcd5c4054f9796bc6c15e6946ef484991ff

    • SHA512

      4d3368695962783cc563be9a783dfa3a07e11d259f8eda4be3a6d4362226eb3e343f699b24bdc985a709bc9533fff2fb189c160dbb65e3d5333b1b77a4640160

    • SSDEEP

      6144:ANeZHRxXIP0knr07RTMjZJeurnQB2uDG8d7bjYNDUo0xIjgMyHdCwEzxIS9Onnkv:ANOk8RuZtsBbDG8d73VIcM7t9+njAs6n

    Score
    10/10
    formbookxloaderhzb3loaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks