formbook | a6f5f14ccd69b162c953507c108e4bf73fd12ab1563666ab680ea685e93cde71 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

AJiwZGDbCiDzbQ0.exe
Size

833KB
Sample

221018-gx614afadk
MD5

39033dab0fd89aa8ecaff242fc98c7dc
SHA1

aa8a83d78a929dce80bad2786bc92e08028d134b
SHA256

a6f5f14ccd69b162c953507c108e4bf73fd12ab1563666ab680ea685e93cde71
SHA512

5a338c29938f29597ad42653eeec84886143c3d85bcae46a7ea0ebbaf4e0b103c421a9b9828cca90ba7ccb80681d564c2b0352ab25e60a328d7e1b6998929f00
SSDEEP

12288:rqAn3v9HiPyfPYD//DmqOINvJl7uQqO4mGwuo0Es/:p3vayfQrDmqOI9aQkmGwuo0

Score

10^/10

formbook xloader axe3 loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

axe3

Decoy

nV63ydJMXMf7memspIpnnVLl3Q==

uJ50rs5Y/80AqT79guHh

FcsTFQ1xekTgcal8G0P2ZTQ=

uLWWVJP++ID3dkoB8g==

YyoybGF5Fsa/UH8=

Tk4htwkBBfM5ZA==

QgJ8vN9f+uCdsD79guHh

wmjC9UuSBGyTrY5PAX9t1A==

Sw7JEwOKl576ndxw/A==

BOqs09Ikjej1BN98ZYtVfSi5xQ==

YA5cbH3/4wVAYg==

fRWIvatAXM3+t0X9guHh

FAbZXq/jFuaEq2YCwQh3b2oE

STL+RDTA652/tD/9guHh

zgLNcuX32aFB

WmgwW1UCJ/9Nc0ofkIhVyQ==

jiWgy9ckGh8G+3Q7Rl//NW9ZU7TU

JCoawiBkwAkeJOehkNXRCYnj3A==

WQDFZvang91P

zGrJ4CA2pAhR

Extracted

Family

xloader

Version

3.8

Campaign

axe3

Decoy

nV63ydJMXMf7memspIpnnVLl3Q==

uJ50rs5Y/80AqT79guHh

FcsTFQ1xekTgcal8G0P2ZTQ=

uLWWVJP++ID3dkoB8g==

YyoybGF5Fsa/UH8=

Tk4htwkBBfM5ZA==

QgJ8vN9f+uCdsD79guHh

wmjC9UuSBGyTrY5PAX9t1A==

Sw7JEwOKl576ndxw/A==

BOqs09Ikjej1BN98ZYtVfSi5xQ==

YA5cbH3/4wVAYg==

fRWIvatAXM3+t0X9guHh

FAbZXq/jFuaEq2YCwQh3b2oE

STL+RDTA652/tD/9guHh

zgLNcuX32aFB

WmgwW1UCJ/9Nc0ofkIhVyQ==

jiWgy9ckGh8G+3Q7Rl//NW9ZU7TU

JCoawiBkwAkeJOehkNXRCYnj3A==

WQDFZvang91P

zGrJ4CA2pAhR

Targets

- Target
  
  AJiwZGDbCiDzbQ0.exe
- Size
  
  833KB
- MD5
  
  39033dab0fd89aa8ecaff242fc98c7dc
- SHA1
  
  aa8a83d78a929dce80bad2786bc92e08028d134b
- SHA256
  
  a6f5f14ccd69b162c953507c108e4bf73fd12ab1563666ab680ea685e93cde71
- SHA512
  
  5a338c29938f29597ad42653eeec84886143c3d85bcae46a7ea0ebbaf4e0b103c421a9b9828cca90ba7ccb80681d564c2b0352ab25e60a328d7e1b6998929f00
- SSDEEP
  
  12288:rqAn3v9HiPyfPYD//DmqOINvJl7uQqO4mGwuo0Es/:p3vayfQrDmqOI9aQkmGwuo0
Score

10^/10

formbook xloader axe3 loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookxloaderaxe3loaderratspywarestealertrojan

behavioral2

formbookaxe3ratspywarestealertrojan