formbook | a9ed1381e07210fbb362eecb1ccd3bb75464bd7f63374c88521d8395fd660ed8 | Triage

Sharing

General

Target

tmp
Size

989KB
Sample

221101-tpryesdcg3
MD5

8fdeb9288ce47576a8607e2e58ab41e6
SHA1

e0c3f9a45831d582f4aedee7390334a1fae5a059
SHA256

a9ed1381e07210fbb362eecb1ccd3bb75464bd7f63374c88521d8395fd660ed8
SHA512

6e2c48d104662a69fe19f990ccc2dd79f4fde941c323ebcfcb1e1dd57a172afb9c25f98d963a29df6953be9846bf7589dde55b81145d64961f0c5ee19f1f529d
SSDEEP

12288:YNvpX+P31dxk8ihCwhuJ9zps7vT2DPC7VLRpelCwT5SoXDDgKTaPubII:yONdxk15uJLs7vycAlrT5ZXvgmh

Score

10^/10

formbook xloader ncpr evasion loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ncpr

Decoy

bVBX5DcJzr9yf94C3w==

pAza9ePFpFp759M=

GeHCdpsX/21yf94C3w==

A86m2jOAb2lCta5KjFGSBLa0Bdru/eQt

bEERX4lbMxXbYU3pYqPIU32+

XLFilcOTXqV04j9CxpgWTXS2

UQTWj58OqzP2ew==

MqVmrtvUwL+EuyI6FfY+xgYaxA==

Fe3ugYgE7GZT3UohKWCrog==

YsWZa7gt9HJXwDhOrwIWTXS2

9mk4g8/Nnlp759M=

g01M0Tsk/vVnrhpC5zZrpw==

ec6PYogewB7aZw==

JveT+/6JbtwGUcTPwA==

EO3y7N6/n5uK0eyQ+bdcU7x9zA==

SRMfKoboyEnEDYOUZWns8TU=

kW15b1o+IOtNpgst5zZrpw==

gUo40RWBHijfIAiuuMdrKA+WMdA=

HvDy2QVdG2cjuiJC7WrE6i4=

uwOMiN8j6q9/966Mltg=

Extracted

Family

xloader

Version

3.ƅ

Campaign

ncpr

Decoy

bVBX5DcJzr9yf94C3w==

pAza9ePFpFp759M=

GeHCdpsX/21yf94C3w==

A86m2jOAb2lCta5KjFGSBLa0Bdru/eQt

bEERX4lbMxXbYU3pYqPIU32+

XLFilcOTXqV04j9CxpgWTXS2

UQTWj58OqzP2ew==

MqVmrtvUwL+EuyI6FfY+xgYaxA==

Fe3ugYgE7GZT3UohKWCrog==

YsWZa7gt9HJXwDhOrwIWTXS2

9mk4g8/Nnlp759M=

g01M0Tsk/vVnrhpC5zZrpw==

ec6PYogewB7aZw==

JveT+/6JbtwGUcTPwA==

EO3y7N6/n5uK0eyQ+bdcU7x9zA==

SRMfKoboyEnEDYOUZWns8TU=

kW15b1o+IOtNpgst5zZrpw==

gUo40RWBHijfIAiuuMdrKA+WMdA=

HvDy2QVdG2cjuiJC7WrE6i4=

uwOMiN8j6q9/966Mltg=

Targets

- Target
  
  tmp
- Size
  
  989KB
- MD5
  
  8fdeb9288ce47576a8607e2e58ab41e6
- SHA1
  
  e0c3f9a45831d582f4aedee7390334a1fae5a059
- SHA256
  
  a9ed1381e07210fbb362eecb1ccd3bb75464bd7f63374c88521d8395fd660ed8
- SHA512
  
  6e2c48d104662a69fe19f990ccc2dd79f4fde941c323ebcfcb1e1dd57a172afb9c25f98d963a29df6953be9846bf7589dde55b81145d64961f0c5ee19f1f529d
- SSDEEP
  
  12288:YNvpX+P31dxk8ihCwhuJ9zps7vT2DPC7VLRpelCwT5SoXDDgKTaPubII:yONdxk15uJLs7vycAlrT5ZXvgmh
Score

10^/10

formbook xloader ncpr evasion loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookxloaderncprevasionloaderratspywarestealertrojan

behavioral2

formbookncprevasionratspywarestealertrojan