formbook

General

Target

PEMBERITAHUAN PENGHANTARAN DHL EXPRESS UNTUK,PDF.exe
Size

626KB
Sample

221013-ntz7pscfd3
MD5

55b4f1db064ee9b4ba7310a69222d988
SHA1

8f44b552d711ae66b4386f7a8191122a7b435130
SHA256

877c80b684c652c2f687154dc3a8f4903d13dbb8e8383f473a11e043147ffcf3
SHA512

8de356931b7f8d16e9eb7dd6d2bfbe27ec1c583c9eb5f0718f3e3ed7c3e20a41fc3d3a214574fc9676d7e0bcdcfbae27d8e216b7b04838aa28a5b58b58d56969
SSDEEP

6144:dbE/HUnvK2MLSGPCeDt5gcllPlaJMqC0JmLiuXECmyTu:dbjKjSGPC25vl9Tb0JmBdmn

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

nrln

Decoy

IG7zJSm49UqTTuu/N/oTCIg=

CVLdAPgw0CRSMuZnRRU=

PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG

5i6p4GeQqtBgNRfGNQ==

5984keYswxh8mGZHz4ipAHtQ

VNJaK4Gh0CrOvHpW/p353A==

71rEtrL2icToyKGhcWrTxjsFU5T98zeO

r3q1sy1iZaL+2XIUAob7yw==

9+83Qkrk/vV/jVXsDvoTCIg=

aMFAgYF1prov8/UErH/Y1A==

Alqtx/0rxwEbCLdudftl

ImCbnglBSUHF0mv2tTSP40bPeYao

s4DFNvAJ4GIJ+g==

phOa6mtS8QQICuZnRRU=

7TSu5vqRtB45EZtf4WDSTBHPeYao

ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=

HF7jKjbGox2SAffTPw==

yAM3mOQot5l+cD0ikR5MGp8=

UYzW0/8z70JcQenVLidu1kLPeYao

OoCznp5UWz+hT9OBFXbfVhXPeYao

Extracted

Family

xloader

Version

3.8

Campaign

nrln

Decoy

IG7zJSm49UqTTuu/N/oTCIg=

CVLdAPgw0CRSMuZnRRU=

PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG

5i6p4GeQqtBgNRfGNQ==

5984keYswxh8mGZHz4ipAHtQ

VNJaK4Gh0CrOvHpW/p353A==

71rEtrL2icToyKGhcWrTxjsFU5T98zeO

r3q1sy1iZaL+2XIUAob7yw==

9+83Qkrk/vV/jVXsDvoTCIg=

aMFAgYF1prov8/UErH/Y1A==

Alqtx/0rxwEbCLdudftl

ImCbnglBSUHF0mv2tTSP40bPeYao

s4DFNvAJ4GIJ+g==

phOa6mtS8QQICuZnRRU=

7TSu5vqRtB45EZtf4WDSTBHPeYao

ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=

HF7jKjbGox2SAffTPw==

yAM3mOQot5l+cD0ikR5MGp8=

UYzW0/8z70JcQenVLidu1kLPeYao

OoCznp5UWz+hT9OBFXbfVhXPeYao

Targets

- Target
  
  PEMBERITAHUAN PENGHANTARAN DHL EXPRESS UNTUK,PDF.exe
- Size
  
  626KB
- MD5
  
  55b4f1db064ee9b4ba7310a69222d988
- SHA1
  
  8f44b552d711ae66b4386f7a8191122a7b435130
- SHA256
  
  877c80b684c652c2f687154dc3a8f4903d13dbb8e8383f473a11e043147ffcf3
- SHA512
  
  8de356931b7f8d16e9eb7dd6d2bfbe27ec1c583c9eb5f0718f3e3ed7c3e20a41fc3d3a214574fc9676d7e0bcdcfbae27d8e216b7b04838aa28a5b58b58d56969
- SSDEEP
  
  6144:dbE/HUnvK2MLSGPCeDt5gcllPlaJMqC0JmLiuXECmyTu:dbjKjSGPC25vl9Tb0JmBdmn
Score

10^/10

formbook nrln rat spyware stealer trojan xloader loader
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Xloader

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2