formbook

General

Target

payload_formbook.exe
Size

188KB
Sample

221220-3xb2lsed8y
MD5

96525c4a51a40ab74dcb485b86d72a84
SHA1

c0f5fb91272bcf033156266d447fadb58668fb96
SHA256

9e7423c4b8904ca8dc44c184cd15e755e1e0b554a9182b0e5d4c4e85f341eb84
SHA512

96f142b2eabc5109d87df0b3a6f39a4e735401981d71e471753215b2048924cb9f4f028f3b830de4f5f93d3e4d8711247c1d187f86549e6c3c8c06cfef62b3e3
SSDEEP

3072:y8qzRkfWIYczfzD7nqV+K0fp1TpckexJReVMsYykt9WIFMfWynpXA:yziWIYGzD77jp1FMRKMsCFMrn

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Extracted

Family

xloader

Version

3.�E

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Targets

- Target
  
  payload_formbook.exe
- Size
  
  188KB
- MD5
  
  96525c4a51a40ab74dcb485b86d72a84
- SHA1
  
  c0f5fb91272bcf033156266d447fadb58668fb96
- SHA256
  
  9e7423c4b8904ca8dc44c184cd15e755e1e0b554a9182b0e5d4c4e85f341eb84
- SHA512
  
  96f142b2eabc5109d87df0b3a6f39a4e735401981d71e471753215b2048924cb9f4f028f3b830de4f5f93d3e4d8711247c1d187f86549e6c3c8c06cfef62b3e3
- SSDEEP
  
  3072:y8qzRkfWIYczfzD7nqV+K0fp1TpckexJReVMsYykt9WIFMfWynpXA:yziWIYGzD77jp1FMRKMsCFMrn
Score

10^/10

formbook pgnt rat spyware stealer trojan xloader loader
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Xloader

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2