formbook | 0962d318f1cf7b3f98240a0bca0c2cd2b9d931b7daeebb7e3957f60a68e4a4cd | Triage

Sharing

General

Target

vbc.exe
Size

934KB
Sample

221126-zjg4xsgc9v
MD5

444e92ce2d99f78435cc4357f146193c
SHA1

fd31840e971170556f3731965b226784bc896416
SHA256

0962d318f1cf7b3f98240a0bca0c2cd2b9d931b7daeebb7e3957f60a68e4a4cd
SHA512

294e0d0cd58c50f1bf642b031c1857bc7fae00194a1135a9d5aa234e56fa55a0b82d2755b98a58dc1e4d1310cf555805cb0900cde2826a48e735591a5b0e754d
SSDEEP

24576:aM+L74mBfNUstzooe/abyofZnbrFKThQQYAMB/C3r8JN:Z/abJrFqnYAMAI

Score

10^/10

formbook xloader pp14 loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

pp14

Decoy

96uCxeCMKh6g6SZ8

PdaMqgUpFicVDUjoSA==

zvepxwzr55Q=

3oMyd5GPXs7G+zJ0

dPyeXJlGZ8qN

hyXv/m14WzerZqV60JkjLg==

Dsuw8nKBZVGMvs7YvNE=

bRgERMHOlIExCW4=

LcGAquTzzX3C+3k=

AqVgic3GpXl1U8fJppt8Akfy

GbKInrcZ3aKhgZumCtM=

kUAwhBdMLRTBcMH3zQ+t26/dvRnvtQ==

5W5AvLNGZ8qN

Weuz0R5Bgka7CQ==

Kr+D2aolbJJOY93WutE=

lTkLF2FvPwIA5VFe9MPew8C24Mc=

ulcKFdJNl9jG+zJ0

NO3uBYm3j4ExCW4=

wGUnT2mMjYExCW4=

4a2cvxAbBRkPGnM=

Extracted

Family

xloader

Version

3.ƅ

Campaign

pp14

Decoy

96uCxeCMKh6g6SZ8

PdaMqgUpFicVDUjoSA==

zvepxwzr55Q=

3oMyd5GPXs7G+zJ0

dPyeXJlGZ8qN

hyXv/m14WzerZqV60JkjLg==

Dsuw8nKBZVGMvs7YvNE=

bRgERMHOlIExCW4=

LcGAquTzzX3C+3k=

AqVgic3GpXl1U8fJppt8Akfy

GbKInrcZ3aKhgZumCtM=

kUAwhBdMLRTBcMH3zQ+t26/dvRnvtQ==

5W5AvLNGZ8qN

Weuz0R5Bgka7CQ==

Kr+D2aolbJJOY93WutE=

lTkLF2FvPwIA5VFe9MPew8C24Mc=

ulcKFdJNl9jG+zJ0

NO3uBYm3j4ExCW4=

wGUnT2mMjYExCW4=

4a2cvxAbBRkPGnM=

Targets

- Target
  
  vbc.exe
- Size
  
  934KB
- MD5
  
  444e92ce2d99f78435cc4357f146193c
- SHA1
  
  fd31840e971170556f3731965b226784bc896416
- SHA256
  
  0962d318f1cf7b3f98240a0bca0c2cd2b9d931b7daeebb7e3957f60a68e4a4cd
- SHA512
  
  294e0d0cd58c50f1bf642b031c1857bc7fae00194a1135a9d5aa234e56fa55a0b82d2755b98a58dc1e4d1310cf555805cb0900cde2826a48e735591a5b0e754d
- SSDEEP
  
  24576:aM+L74mBfNUstzooe/abyofZnbrFKThQQYAMB/C3r8JN:Z/abJrFqnYAMAI
Score

10^/10

formbook xloader pp14 loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderpp14loaderratspywarestealertrojan