Overview

overview

10

Static

static

hsbc_payme...53.exe

windows7-x64

10

hsbc_payme...53.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    hsbc_payment_slip_04953.img

  • Size

    482KB

  • Sample

    221012-yq7gqaadhq

  • MD5

    a5bfe82249f584dc0d4e9206c1d9db28

  • SHA1

    8338eb692887f9164142502c0fc935b102610fd8

  • SHA256

    b3582f3562e2111206c4ca5cabc469cceddf2d92cd673072e248ebb3c71835c0

  • SHA512

    48d3d2e6391d312b3ed2305d93c62122633f51569608a1e174cf462e5c300274a22ec50ff47ae644e1a7b2bfb7d69f40021c6bc30c0a5b505b5551e76ba31329

  • SSDEEP

    12288:qN8xJjzPD7G28lNBLB2V3x9A4c3ZOXWC:qNQb7JIHLQi3MX

Score
10/10
formbookxloaderhzb3loaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

hzb3

Decoy

BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==

CEqdZb0KaOLLbWqrDVTgc20=

nBv0jSFiQHxtE6awQnm2

E1sGpCJYtB8ImaguUyF6yQ==

PMBND7LzJGZH7CXulclbs2c=

u9zzlFGDXo6LLbGwQnm2

SaJjLbtVlMgsP5ZQRj4=

wckwEbwBbKA2X3g=

rPxB8ePUxfu4pilu

S562QFeKY5P//qawQnm2

BkEfWXZuY3ihKW8=

ZanakqMxkP7VdNfWdD4FGDqF

PYYbtzdINC1J0OYzQCk=

Fmg9LBxaPQ==

4eXWfoC06yGAkQ0l+Txs2w==

n68j2X6+CIhsD5GiCMYBsHI=

hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE

X6PAVGfwPHihKW8=

7zn1tkuDaZ2FKbGwQnm2

lB0m5ghWsSmMpIUS8EBM31l/463cqQ==

Extracted

Family

xloader

Version

3.8

Campaign

hzb3

Decoy

BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==

CEqdZb0KaOLLbWqrDVTgc20=

nBv0jSFiQHxtE6awQnm2

E1sGpCJYtB8ImaguUyF6yQ==

PMBND7LzJGZH7CXulclbs2c=

u9zzlFGDXo6LLbGwQnm2

SaJjLbtVlMgsP5ZQRj4=

wckwEbwBbKA2X3g=

rPxB8ePUxfu4pilu

S562QFeKY5P//qawQnm2

BkEfWXZuY3ihKW8=

ZanakqMxkP7VdNfWdD4FGDqF

PYYbtzdINC1J0OYzQCk=

Fmg9LBxaPQ==

4eXWfoC06yGAkQ0l+Txs2w==

n68j2X6+CIhsD5GiCMYBsHI=

hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE

X6PAVGfwPHihKW8=

7zn1tkuDaZ2FKbGwQnm2

lB0m5ghWsSmMpIUS8EBM31l/463cqQ==

Targets

    • Target

      hsbc_payment_slip_04953.exe

    • Size

      420KB

    • MD5

      2c1a310adaf1ada414d77cc254d6be46

    • SHA1

      112fcc5b04191e71d7665bf6dbc430119ea41cef

    • SHA256

      e3fbfc9c6a60f64dc93732978fad0fc20e7befbb8182dcc7f6b6424d90a6edd1

    • SHA512

      ff4854422c8169d98ba0010cc6cbd3af56c81e24b6ad5ef6b7654d2f7f1f34dfa5b9423296be8da2e8625c5127992218e051adf53352a89724d7c9be9025e845

    • SSDEEP

      12288:LN8xJjzPD7G28lNBLB2V3x9A4c3ZOXWCO:LNQb7JIHLQi3MXq

    Score
    10/10
    formbookhzb3ratspywarestealertrojanxloaderloader

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks