formbook

General

Target

bill of lading - vnsea4331295.r01
Size

796KB
Sample

221130-wsxn7acg84
MD5

8fa4487d870aaf86d80b2f3c9ed66f64
SHA1

905adb6b37e572be42aa0b2a2a65d16040257a4a
SHA256

47cc4e74ff592ab0132e929b3221bc97bc3b9d933235272f81c480fe9ed03d6f
SHA512

e3416f976e40de0aed2ba82f95cc7720a5cd4d8e3a62ea63fed4e81694f17748becea1411edaa96a8378c6cbae66ba17b38fa71e8aa77fe318addda7bbe91621
SSDEEP

24576:wLC+0fPGAKsB4jLGoCwojoHZfksgFgIgWLIk:wLLa+A7HodAo5fksgF4WLIk

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

ntzb

Decoy

ec/NM1mI984Gb/9r

LIh84/7lSr8jyCJjNRy3cy5K/w==

ywyL4wf5IYKQvdNGr5hpUcZk

ibXIRT7wwpAGb/9r

jvlCCTIkf3aEc0yrhiKei9M=

JpvChtpFpghexluRIQ==

ufPzZvM9cUyAySmfh3VZ

IWlUsdnOG2qvOYvJMp9v2/IU7Q==

AShx1yFdwhMDEvts6yKei9M=

G0s8BkB7oPAhNESxLJisov0O4g==

5whNpsfrfGq6bT5VM5c=

7YrOda8xKRZpbX55Rp0=

lff5IDBTuCxnxluRIQ==

s/nqUHamCtIGb/9r

IqvUNFmH8soGb/9r

l8GtEDwvaHre8/VBHFv+wQ==

cb4m5SZjvr4EuU20ORuv4zoQMrY=

msP5quMgh5TOcT5VM5c=

yvEWmNz1G6jvgN1EHFv+wQ==

ZfcqLcYYqRdu9EWF7mUynGEx7sib

Extracted

Family

xloader

Version

3.ƅ

Campaign

ntzb

Decoy

ec/NM1mI984Gb/9r

LIh84/7lSr8jyCJjNRy3cy5K/w==

ywyL4wf5IYKQvdNGr5hpUcZk

ibXIRT7wwpAGb/9r

jvlCCTIkf3aEc0yrhiKei9M=

JpvChtpFpghexluRIQ==

ufPzZvM9cUyAySmfh3VZ

IWlUsdnOG2qvOYvJMp9v2/IU7Q==

AShx1yFdwhMDEvts6yKei9M=

G0s8BkB7oPAhNESxLJisov0O4g==

5whNpsfrfGq6bT5VM5c=

7YrOda8xKRZpbX55Rp0=

lff5IDBTuCxnxluRIQ==

s/nqUHamCtIGb/9r

IqvUNFmH8soGb/9r

l8GtEDwvaHre8/VBHFv+wQ==

cb4m5SZjvr4EuU20ORuv4zoQMrY=

msP5quMgh5TOcT5VM5c=

yvEWmNz1G6jvgN1EHFv+wQ==

ZfcqLcYYqRdu9EWF7mUynGEx7sib

Targets

- Target
  
  Bill Of Lading - VNSEA4331295.exe
- Size
  
  919KB
- MD5
  
  fa2b3a90b953f1919563c4494d8ada0b
- SHA1
  
  2c515413532fada3621210c7e2101146e6f5a5fa
- SHA256
  
  61667ea581c9bfc633099ba839280ee1086d68e7e9f98fb3e9d8b09a0a1ae404
- SHA512
  
  7b33069526852e1bc5595efa16a801894ec521d6a2a9410dad5a689827e28610ad1e80184826b4933b8581607f35e2c8177241870ca23183aeb53018b51b8b68
- SSDEEP
  
  12288:MGFDutOg6duUKLo2BPLDRNZSeqJrtVq6dG7xH1/dcR49w9WSGEtDdLrz5BEPHBSq:MpLDHEeIDq6g7xVimwPLAf9OBGN48
Score

10^/10

formbook xloader ntzb loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Xloader

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2