formbook

General

Target

dhl awb 3452778287 notification of shippment,pdf.exe
Size

659KB
Sample

221014-gxmbpabca8
MD5

47904c69cd284857d455ab111bb7ce8a
SHA1

efa07d4414797202617068554e4e4711ffc9b260
SHA256

31dc963b19ff5dd4be43311a2f7e016703c23caf5a29162ea87e7a03c9783486
SHA512

fcfb0486659d2e75f4e226d886731b187a0e7cd3f26585fa38ba72bb68843cb7564723d319a817cf96c269d8123329251b45c8890c78bb8579f978b8037f8520
SSDEEP

6144:dbE/HUEUSZ7C8MdIxXkjI1wofdtvS+a9EDyPY47suFPai55:db4USZ7wCkjawavgPL7ZlaiD

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

nrln

Decoy

IG7zJSm49UqTTuu/N/oTCIg=

CVLdAPgw0CRSMuZnRRU=

PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG

5i6p4GeQqtBgNRfGNQ==

5984keYswxh8mGZHz4ipAHtQ

VNJaK4Gh0CrOvHpW/p353A==

71rEtrL2icToyKGhcWrTxjsFU5T98zeO

r3q1sy1iZaL+2XIUAob7yw==

9+83Qkrk/vV/jVXsDvoTCIg=

aMFAgYF1prov8/UErH/Y1A==

Alqtx/0rxwEbCLdudftl

ImCbnglBSUHF0mv2tTSP40bPeYao

s4DFNvAJ4GIJ+g==

phOa6mtS8QQICuZnRRU=

7TSu5vqRtB45EZtf4WDSTBHPeYao

ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=

HF7jKjbGox2SAffTPw==

yAM3mOQot5l+cD0ikR5MGp8=

UYzW0/8z70JcQenVLidu1kLPeYao

OoCznp5UWz+hT9OBFXbfVhXPeYao

Extracted

Family

xloader

Version

3.8

Campaign

nrln

Decoy

IG7zJSm49UqTTuu/N/oTCIg=

CVLdAPgw0CRSMuZnRRU=

PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG

5i6p4GeQqtBgNRfGNQ==

5984keYswxh8mGZHz4ipAHtQ

VNJaK4Gh0CrOvHpW/p353A==

71rEtrL2icToyKGhcWrTxjsFU5T98zeO

r3q1sy1iZaL+2XIUAob7yw==

9+83Qkrk/vV/jVXsDvoTCIg=

aMFAgYF1prov8/UErH/Y1A==

Alqtx/0rxwEbCLdudftl

ImCbnglBSUHF0mv2tTSP40bPeYao

s4DFNvAJ4GIJ+g==

phOa6mtS8QQICuZnRRU=

7TSu5vqRtB45EZtf4WDSTBHPeYao

ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=

HF7jKjbGox2SAffTPw==

yAM3mOQot5l+cD0ikR5MGp8=

UYzW0/8z70JcQenVLidu1kLPeYao

OoCznp5UWz+hT9OBFXbfVhXPeYao

Targets

- Target
  
  dhl awb 3452778287 notification of shippment,pdf.exe
- Size
  
  659KB
- MD5
  
  47904c69cd284857d455ab111bb7ce8a
- SHA1
  
  efa07d4414797202617068554e4e4711ffc9b260
- SHA256
  
  31dc963b19ff5dd4be43311a2f7e016703c23caf5a29162ea87e7a03c9783486
- SHA512
  
  fcfb0486659d2e75f4e226d886731b187a0e7cd3f26585fa38ba72bb68843cb7564723d319a817cf96c269d8123329251b45c8890c78bb8579f978b8037f8520
- SSDEEP
  
  6144:dbE/HUEUSZ7C8MdIxXkjI1wofdtvS+a9EDyPY47suFPai55:db4USZ7wCkjawavgPL7ZlaiD
Score

10^/10

formbook xloader nrln loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Xloader

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2