formbook | 9ccfea6f6e58f4c30b55544c8718cf2c10a9c60b124a65ee51b79b269c95541d | Triage

Submit
Reports

Overview

overview

Static

static

103_FT2219...99.exe

windows7-x64

103_FT2219...99.exe

windows10-2004-x64

Sharing

General

Target

8181046141.zip
Size

835KB
Sample

221013-ydk3ysbcal
MD5

242a906bf6032e9ffe1d76eefeebc163
SHA1

21eb9944434924b76aa424768ed1281394ac9461
SHA256

9ccfea6f6e58f4c30b55544c8718cf2c10a9c60b124a65ee51b79b269c95541d
SHA512

5eed426714c75158e44bb77f8ee5961288d8e201e55e3ab027dd7d5f4886ee3acfdac24eae5120e00970b9ab3e3c5ec8c0faee488f7f940afa418de525f01e56
SSDEEP

12288:4j4iylvCraH+lJjjISqcTp+nCjQbRlDjGD2ZzWAbVPs1O7iWkXp0ghUIUEiJdHo7:vi1aH+Xjj1MCwRVapAb0gkBhLUpZ1l3U

Score

10^/10

formbook xloader 6hsc loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

103_FT22195J8MKV_0461571799.exe

Resource

win7-20220812-en

formbook xloader 6hsc loader rat spyware stealer trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

103_FT22195J8MKV_0461571799.exe

Resource

win10v2004-20220901-en

formbook xloader 6hsc loader persistence rat spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

6hsc

Decoy

6cvqXARAGlgdnnbXYQ==

Mi4yZ8FULou6w26U2FDnEbA=

Xmx0bJmRZGL+O0RFfLFNN9AMdwn+

B0WNhyl4T2gWBIqE1VDnEbA=

DI2G9/sG/v6YIh42aQ==

0NTaAl90ZWYiGV/bT4U=

DWCuXrL23Cc3xdIG/0dT

fTbzys/dddqOVQ==

8ClrDFi3i+asgxBOnguhlQ==

YjOkWLSpXeqrXw==

gAIov8vbtv8vr8/tFSXvDULL7thokKA=

xMW2qsXay7xNkonR/zxPo939

xc38fRlgO2opnnbXYQ==

+o31vQlURJKmLUWfHlMq0Gjs

z6GwWxCSKJLJ

2pnQ5evpehAxUt4hd6pq9X71

2CmXDSU2DTmDR+Q=

WV9ScxFQID1V2glQnguhlQ==

L8UDlK65h9wJ7Zeb3VDnEbA=

Agb4LF2bRcDX

SqH75PsH3yxQYR9z3lDnEbA=

h8YG/pfpllgN+r7yaw==

cCpqkbfNqAI/WfJXnguhlQ==

s+knLMwJ3fmRZA0te6Fq9X71

EhYdPd0p8iFxPuI=

Wi4xZri3naA0D1/bT4U=

nWvXcvs9HV2udQo0

l/fjU21+WpE7EF/bT4U=

GZ+SIsMP7w6iAf8+L1pZ

D0mUUXV1P4eNVf9XnguhlQ==

oTlyZvhJFgfB4HVztxCp9Kk=

5PX7IsMQ9DmDR+Q=

dDuAscnFXeqrXw==

kmSrIrD5vxpKxeI2fgO8nw==

1GeVOGNjUmY5yswG/0dT

EYeAIppGt1Gtc/w=

LsHxiswT3tNdNN33H1hhwazaMPvCdA==

8aWkrlDKZrPQ

D4yEIMEI3Nl1QskAbaVndnt00+exZKCtyA==

c8P4ktkmB0ZjAzFCc6Bq9X71

RZnXfaxn0lGtc/w=

ZCMfpTiBVVbfW1ReZMWGoVjo

dMEMsfdKzzmDR+Q=

KTNhf5Ojhd76DKChnguhlQ==

JjlvzPs2/zmDR+Q=

xTIvy3C0XeqrXw==

RcI2ZrS+mIIO2Xub2VDnEbA=

NZOF7/3/499y1QchTG01NlzX8NhokKA=

HJ6Q/QcE2b1DUqrYPXtb

mGvXcvtFNm2Be98zao8=

zRlTSJogCy0=

X2NdecEGn5RLWg==

S4vjrkiPfql//AhBfgO8nw==

oaau7EVWQpAFV1dCc6Bq9X71

rfAaG8H+2xxRQL4BdbB6sJb/Fw==

mKvX7jB8WGcqsaefzfT9UdUMdwn+

WyObTpesZFkXGF/bT4U=

tT9IwOv0tghBx94Xg7d3sJb/Fw==

ApLQj6+9Y+q1+fA=

4bu35JDPqdinbaAG/0dT

xo36lTCBQCSn6gIjV55q9X71

hhFB3UqZbWQoX6TbREhRtajbMPvCdA==

9r7+aqu4oqJPzND+g5gzP27h8thokKA=

xZJ+dpq2XeqrXw==

vuongnudan.site

Targets

- Target
  
  103_FT22195J8MKV_0461571799.exe
- Size
  
  971KB
- MD5
  
  ec330f4b57a3ae3fdf9ac1e8d5de9b1b
- SHA1
  
  e632b3bb2600ea043aa30afda9803b9f59e3a460
- SHA256
  
  546d510fae0de29da545eda3203b4a47ea41ba27f8f134c0fe902a776ca6a054
- SHA512
  
  939f80513a4df9ffa1b3dc2185908f802d0f0e3be351026433f6ea152d6bdbf2fba334212209f47a465d643b64473a60bb69cb6c9bc81aebbe33ca4f83a91dd4
- SSDEEP
  
  24576:eZ50MEcXYbV67BvaY9Xait3OgkH0sz8PfVT4:o5PEaYV67Bx9Ldu8Pfa
Score

10^/10

formbook xloader 6hsc loader rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloader6hscloaderratspywarestealertrojan

behavioral2

formbookxloader6hscloaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy