formbook

General

Target

Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe
Size

527KB
Sample

221209-np1mnsda79
MD5

935896b0a7367983d64d1cf39014c698
SHA1

a073a30a468a54458b30f3d9abfa712995426e7b
SHA256

f24844ae60ec044f13365541b3e5f0cb41f9645ff7bc461820da7236518e2330
SHA512

d4d287a355cf8a50f5b19d96f98c25241c5686ba657c4bfc33da0d0a4a0a3e23a84bc407a40fe0b411e4391037ada656f2d9eb25ee7fae607e3b729878616b9c
SSDEEP

6144:/kw+0xk6e96C2U/2aqg9JBP/ECkkDoozYIdG2Cgf1bN9lpPAS+JsMMvOhdI:slzAKp5k5oLMqJlpYDJzMvOhdI

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Extracted

Family

xloader

Version

3.ƅ

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Targets

- Target
  
  Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe
- Size
  
  527KB
- MD5
  
  935896b0a7367983d64d1cf39014c698
- SHA1
  
  a073a30a468a54458b30f3d9abfa712995426e7b
- SHA256
  
  f24844ae60ec044f13365541b3e5f0cb41f9645ff7bc461820da7236518e2330
- SHA512
  
  d4d287a355cf8a50f5b19d96f98c25241c5686ba657c4bfc33da0d0a4a0a3e23a84bc407a40fe0b411e4391037ada656f2d9eb25ee7fae607e3b729878616b9c
- SSDEEP
  
  6144:/kw+0xk6e96C2U/2aqg9JBP/ECkkDoozYIdG2Cgf1bN9lpPAS+JsMMvOhdI:slzAKp5k5oLMqJlpYDJzMvOhdI
Score

10^/10

formbook xloader m9ae loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Xloader

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2