General
-
Target
payload_formbook.exe
-
Size
188KB
-
Sample
221220-3xb2lsed8y
-
MD5
96525c4a51a40ab74dcb485b86d72a84
-
SHA1
c0f5fb91272bcf033156266d447fadb58668fb96
-
SHA256
9e7423c4b8904ca8dc44c184cd15e755e1e0b554a9182b0e5d4c4e85f341eb84
-
SHA512
96f142b2eabc5109d87df0b3a6f39a4e735401981d71e471753215b2048924cb9f4f028f3b830de4f5f93d3e4d8711247c1d187f86549e6c3c8c06cfef62b3e3
-
SSDEEP
3072:y8qzRkfWIYczfzD7nqV+K0fp1TpckexJReVMsYykt9WIFMfWynpXA:yziWIYGzD77jp1FMRKMsCFMrn
Static task
static1
Behavioral task
behavioral1
Sample
payload_formbook.exe
Resource
win7-20220812-en
Malware Config
Extracted
formbook
pgnt
0WG18LbM4lR9iqMRa4nlBzTb
jcfGYzPgZTqFZVO9FV2yIw==
laIfrdSC8/4CNg==
Q73ilev5GIWuOrAAFV2yIw==
Q2u/pMw7pv4sPA==
TbqvIUHwlQscPo0HFV2yIw==
8PNWfGPyE8n0IQ==
WtgROxXzvY2L
PryaRBNjm4eP
Y9Hdi06Cry1um9Sj68YAu1o=
3Gulyp7CMQtR78jvLkk=
JJ3GasTVTCRQT6Tfz6S6GlI=
RnS42bhb9tI0R6UpD6wOxriNxw==
he1mi2sOGfzTRGHnuA==
eaYjCtjxVjdU5XLRtBMBLKk9quA=
k9rTeEqYzzw8WaTfz6S6GlI=
5luVQwe2vJWKEAiMdF4=
MGW14L9OVk5Y5TaR6w/DqdhYxXVY
mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==
y5klhuMbE8n0IQ==
u/NKcEKARatNn/dT
ZJaHJQCvzDWRuPPmMsEVxriNxw==
nRhddlcPOegWrv5R
/njA0TJ1U+osPA==
pi8az6AySKlNn/dT
e/k+YjN+U+osPA==
kMAZ36lMWa3gRGHnuA==
wfX0nGsGE1yUJb1Jq33LoDdDWLSgFQ==
wfk35UJcfeHoRGHnuA==
dbzljekZ3ka2QYCYOP1I
Nq3kDeMNNJWDMnWYOP1I
Sa0SN/04cNje8xbaJLgUxriNxw==
yDejyZiQ/X/BQYiYOP1I
UIPN7ckznp2W
s/HtqJNKdmtv88jvLkk=
KanG2bhM0CsdiNrNF0E=
QLrtp3svzjcsTaJ9y5kPopyQzQ==
syhbC2iJZ8obK2Y7nHSa7CmdUuA=
HZXK676zo5OV
5WFoCWeuxqekcHx5YkE=
PbX1H/gmE8n0IQ==
3HTB6Asznp2W
9HGhWLLyrJXPcq4FRecyGU247XBS
/oW437jofmJ8DQiMdF4=
sh415lJ8q3cL3XJvaEA=
XucfBGWzVEg=
PKWeQgpB1cUHprue4sYAu1o=
MXFzDmuO/nBtmjc6g5elIVMbQeWFjyMN
q+v2lgI9Vb0rC2juug==
WYvkDdX8kEjU73U=
6BJjmWGiizGT
fLHageH29Ex1m8jvLkk=
3D+hsVkFtIyr5WI=
ntIbRgolp0jU73U=
GGGJMpC3pJPdQ8ZGkpxA
8FtjHvNDiICP
L63yFOor5uMdLqnrNNblBzTb
Gav/MgU4AByfuddW
xek7Tm3lhlY=
n2sDng5BBdtNn/dT
LZsINfoQH6dNn/dT
Io+SQh7ak0Ti7Gg=
T8Xci1oCP63aRGHnuA==
bZX0DnWMqxcyQ39hzOH+7U0BvmhP
hf9blwwuwpx7j8k.live
Extracted
xloader
3.�E
pgnt
0WG18LbM4lR9iqMRa4nlBzTb
jcfGYzPgZTqFZVO9FV2yIw==
laIfrdSC8/4CNg==
Q73ilev5GIWuOrAAFV2yIw==
Q2u/pMw7pv4sPA==
TbqvIUHwlQscPo0HFV2yIw==
8PNWfGPyE8n0IQ==
WtgROxXzvY2L
PryaRBNjm4eP
Y9Hdi06Cry1um9Sj68YAu1o=
3Gulyp7CMQtR78jvLkk=
JJ3GasTVTCRQT6Tfz6S6GlI=
RnS42bhb9tI0R6UpD6wOxriNxw==
he1mi2sOGfzTRGHnuA==
eaYjCtjxVjdU5XLRtBMBLKk9quA=
k9rTeEqYzzw8WaTfz6S6GlI=
5luVQwe2vJWKEAiMdF4=
MGW14L9OVk5Y5TaR6w/DqdhYxXVY
mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==
y5klhuMbE8n0IQ==
u/NKcEKARatNn/dT
ZJaHJQCvzDWRuPPmMsEVxriNxw==
nRhddlcPOegWrv5R
/njA0TJ1U+osPA==
pi8az6AySKlNn/dT
e/k+YjN+U+osPA==
kMAZ36lMWa3gRGHnuA==
wfX0nGsGE1yUJb1Jq33LoDdDWLSgFQ==
wfk35UJcfeHoRGHnuA==
dbzljekZ3ka2QYCYOP1I
Nq3kDeMNNJWDMnWYOP1I
Sa0SN/04cNje8xbaJLgUxriNxw==
yDejyZiQ/X/BQYiYOP1I
UIPN7ckznp2W
s/HtqJNKdmtv88jvLkk=
KanG2bhM0CsdiNrNF0E=
QLrtp3svzjcsTaJ9y5kPopyQzQ==
syhbC2iJZ8obK2Y7nHSa7CmdUuA=
HZXK676zo5OV
5WFoCWeuxqekcHx5YkE=
PbX1H/gmE8n0IQ==
3HTB6Asznp2W
9HGhWLLyrJXPcq4FRecyGU247XBS
/oW437jofmJ8DQiMdF4=
sh415lJ8q3cL3XJvaEA=
XucfBGWzVEg=
PKWeQgpB1cUHprue4sYAu1o=
MXFzDmuO/nBtmjc6g5elIVMbQeWFjyMN
q+v2lgI9Vb0rC2juug==
WYvkDdX8kEjU73U=
6BJjmWGiizGT
fLHageH29Ex1m8jvLkk=
3D+hsVkFtIyr5WI=
ntIbRgolp0jU73U=
GGGJMpC3pJPdQ8ZGkpxA
8FtjHvNDiICP
L63yFOor5uMdLqnrNNblBzTb
Gav/MgU4AByfuddW
xek7Tm3lhlY=
n2sDng5BBdtNn/dT
LZsINfoQH6dNn/dT
Io+SQh7ak0Ti7Gg=
T8Xci1oCP63aRGHnuA==
bZX0DnWMqxcyQ39hzOH+7U0BvmhP
hf9blwwuwpx7j8k.live
Targets
-
-
Target
payload_formbook.exe
-
Size
188KB
-
MD5
96525c4a51a40ab74dcb485b86d72a84
-
SHA1
c0f5fb91272bcf033156266d447fadb58668fb96
-
SHA256
9e7423c4b8904ca8dc44c184cd15e755e1e0b554a9182b0e5d4c4e85f341eb84
-
SHA512
96f142b2eabc5109d87df0b3a6f39a4e735401981d71e471753215b2048924cb9f4f028f3b830de4f5f93d3e4d8711247c1d187f86549e6c3c8c06cfef62b3e3
-
SSDEEP
3072:y8qzRkfWIYczfzD7nqV+K0fp1TpckexJReVMsYykt9WIFMfWynpXA:yziWIYGzD77jp1FMRKMsCFMrn
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-