formbook | fdd33a137aa5e4b3a1b1268297372067e246a8c0d9a812fb691a2d685444308d | Triage

Sharing

General

Target

Nuevo_orden.xls
Size

1.4MB
Sample

221208-m19t2scf9z
MD5

3ec6082c0c3d4230f50fb5492fca4ce5
SHA1

7785a87183386d911ef22ef01f56a124d5bbb4ed
SHA256

fdd33a137aa5e4b3a1b1268297372067e246a8c0d9a812fb691a2d685444308d
SHA512

09dca1b64c7f43f6855f530462079213ab8ae14f6eb4e70720d236c0ff7407ebd144880ad3f230f6f3c727866377fa75622baf2db476f7270e3ff8110bde516a
SSDEEP

24576:nzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXD+m/Vr5XXXXXXXXXXXXUXXXXXXXrXXXx:I0S/XpWUe

Score

10^/10

formbook xloader ctap loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ctap

Decoy

7fuiHU5O7pBugItrXtDlRbQzVNAypQ==

Ioe4Ezkvrkk5SljtGsXC

7SdYmzWqxYzoB10eYg==

87z12VKpqmy0nXHtGsXC

frPRoZR38nhTXl/tGsXC

JybcU3xwAWn21yEPd4XnKA==

B6LTKeV3SeQZAg==

9iFOJSEVtE+I6ea4tn6M72ANGm3K

bROuHdVCVl63QIZuI2etey+ugP0=

25FDh/Be3fhaReK+BwZm9aY+og==

ipYbazKawI7oB10eYg==

Y3ONgI2GHcStmm5WhEZCsE/GlNJovg==

NMjp1U2zzpPoB10eYg==

ZZOygHxoGkBxNTz1RnI=

Hy1dkswBcyQh

94qXZbB1+8ciD4Q=

JUhyQ8Fxl+4gBA==

7wuj4eTJFutgR7+k1R8mIA==

Nj3QJ1RBulY2AMS/1R8mIA==

LjFXk8zI5vgdq8N6ropiNA==

Extracted

Family

xloader

Version

3.ƅ

Campaign

ctap

Decoy

7fuiHU5O7pBugItrXtDlRbQzVNAypQ==

Ioe4Ezkvrkk5SljtGsXC

7SdYmzWqxYzoB10eYg==

87z12VKpqmy0nXHtGsXC

frPRoZR38nhTXl/tGsXC

JybcU3xwAWn21yEPd4XnKA==

B6LTKeV3SeQZAg==

9iFOJSEVtE+I6ea4tn6M72ANGm3K

bROuHdVCVl63QIZuI2etey+ugP0=

25FDh/Be3fhaReK+BwZm9aY+og==

ipYbazKawI7oB10eYg==

Y3ONgI2GHcStmm5WhEZCsE/GlNJovg==

NMjp1U2zzpPoB10eYg==

ZZOygHxoGkBxNTz1RnI=

Hy1dkswBcyQh

94qXZbB1+8ciD4Q=

JUhyQ8Fxl+4gBA==

7wuj4eTJFutgR7+k1R8mIA==

Nj3QJ1RBulY2AMS/1R8mIA==

LjFXk8zI5vgdq8N6ropiNA==

Targets

- Target
  
  Nuevo_orden.xls
- Size
  
  1.4MB
- MD5
  
  3ec6082c0c3d4230f50fb5492fca4ce5
- SHA1
  
  7785a87183386d911ef22ef01f56a124d5bbb4ed
- SHA256
  
  fdd33a137aa5e4b3a1b1268297372067e246a8c0d9a812fb691a2d685444308d
- SHA512
  
  09dca1b64c7f43f6855f530462079213ab8ae14f6eb4e70720d236c0ff7407ebd144880ad3f230f6f3c727866377fa75622baf2db476f7270e3ff8110bde516a
- SSDEEP
  
  24576:nzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXD+m/Vr5XXXXXXXXXXXXUXXXXXXXrXXXx:I0S/XpWUe
Score

10^/10

formbook xloader ctap loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookxloaderctaploaderratspywarestealertrojan

behavioral2