formbook

General

Target

Doc MT103 _pdf.exe
Size

413KB
Sample

221126-p6qdpsha9w
MD5

062d6076b8f69168885f0cb4e1e22c60
SHA1

04a40a90fa3e7d9d7387631d9cdbd1cb65fb449c
SHA256

2f3e1bb8cbed038a582daa46b4ed9c387f01b8df5e9746364a9dd75ed3eb2b68
SHA512

b8218934c9eb53bf0de44d30228708ebb3f0d87af7b82fc362d003822e5a9298734ffd863143c54e6cd4b142f22f79aea06c72fb9ff5626f44a98d655b8e44df
SSDEEP

12288:Hd0OzAvfhYmXDAK6c+FodIh1FpgvxTuafi:9b8vJDiba9pK

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

6m92

Decoy

IwH07bzPfa+aWqQsOI1SxKkUsK/8JWH6

gAmrDzguz8iNUuBb9MRj/Q==

n8g30a0I2QcbykrFHnRaBa1gnw4=

uBcyEQC3paiG

3ka0jyr6vTwYotvX9SW2lo4O

SJmelmdD96pEHvoVvWMv4A==

jJA0oRzswcjxkBvg

XUTbWQIGpR1w7zlsVA==

ZE/7WnWIXYeZR/2mB/iXGIq38r9B

ccrY1oRNAoL228IEvWMv4A==

1NrB7FTco7g=

BuVq6qaZSQF5YKAJ8eOrwGluI0CN9kE=

MHaaXX/B0uNdPGg=

h48qpVM02Vefbmmal0vsGAHy1hk=

NAvqVyNxjup6bA==

vCzmWfwAqsmVV684pR9AvrNzyspL

j2z5VICYTVIJ2tgGu3WYl/priA==

a38VZg7Ghac=

FoI1qU0fpHNqMjDc1rM=

3C83/5uiR2tBE5cuESBxcFY=

Extracted

Family

xloader

Version

3.ƅ

Campaign

6m92

Decoy

IwH07bzPfa+aWqQsOI1SxKkUsK/8JWH6

gAmrDzguz8iNUuBb9MRj/Q==

n8g30a0I2QcbykrFHnRaBa1gnw4=

uBcyEQC3paiG

3ka0jyr6vTwYotvX9SW2lo4O

SJmelmdD96pEHvoVvWMv4A==

jJA0oRzswcjxkBvg

XUTbWQIGpR1w7zlsVA==

ZE/7WnWIXYeZR/2mB/iXGIq38r9B

ccrY1oRNAoL228IEvWMv4A==

1NrB7FTco7g=

BuVq6qaZSQF5YKAJ8eOrwGluI0CN9kE=

MHaaXX/B0uNdPGg=

h48qpVM02Vefbmmal0vsGAHy1hk=

NAvqVyNxjup6bA==

vCzmWfwAqsmVV684pR9AvrNzyspL

j2z5VICYTVIJ2tgGu3WYl/priA==

a38VZg7Ghac=

FoI1qU0fpHNqMjDc1rM=

3C83/5uiR2tBE5cuESBxcFY=

Targets

- Target
  
  Doc MT103 _pdf.exe
- Size
  
  413KB
- MD5
  
  062d6076b8f69168885f0cb4e1e22c60
- SHA1
  
  04a40a90fa3e7d9d7387631d9cdbd1cb65fb449c
- SHA256
  
  2f3e1bb8cbed038a582daa46b4ed9c387f01b8df5e9746364a9dd75ed3eb2b68
- SHA512
  
  b8218934c9eb53bf0de44d30228708ebb3f0d87af7b82fc362d003822e5a9298734ffd863143c54e6cd4b142f22f79aea06c72fb9ff5626f44a98d655b8e44df
- SSDEEP
  
  12288:Hd0OzAvfhYmXDAK6c+FodIh1FpgvxTuafi:9b8vJDiba9pK
Score

10^/10

formbook xloader 6m92 loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Xloader

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2