General

  • Target

    f0a448d757645c4c8159d946be6cd741.exe

  • Size

    225KB

  • Sample

    221206-jx94vsgh74

  • MD5

    f0a448d757645c4c8159d946be6cd741

  • SHA1

    b91620ad9a0f0363bc2c1c853af4012966491706

  • SHA256

    22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7

  • SHA512

    0f02d99b5338c5869db540930f5b702a752ee7aa0ee3566f334c84783ce9bdd3c956f9f0073e4d11be7bd3e02c0b228c1761b9ee319f3739bcbdc8fd78d8163a

  • SSDEEP

    3072:QEhKzShSycSMymlNbHD6OwfyAET17nwrmPRTFdyEOTwkBu8eg8HCRtFT+uwptnS2:QBn1yo5DXwfyA87nE04MEu6+uwXnp8Xm

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Extracted

Family

xloader

Version

3.Æ…

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Targets

    • Target

      f0a448d757645c4c8159d946be6cd741.exe

    • Size

      225KB

    • MD5

      f0a448d757645c4c8159d946be6cd741

    • SHA1

      b91620ad9a0f0363bc2c1c853af4012966491706

    • SHA256

      22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7

    • SHA512

      0f02d99b5338c5869db540930f5b702a752ee7aa0ee3566f334c84783ce9bdd3c956f9f0073e4d11be7bd3e02c0b228c1761b9ee319f3739bcbdc8fd78d8163a

    • SSDEEP

      3072:QEhKzShSycSMymlNbHD6OwfyAET17nwrmPRTFdyEOTwkBu8eg8HCRtFT+uwptnS2:QBn1yo5DXwfyA87nE04MEu6+uwXnp8Xm

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks