General

  • Target

    Payment Advice Note from 20.12.2022.exe

  • Size

    227KB

  • Sample

    221227-jdkpvshf6y

  • MD5

    72716594f35f6ba3e5c693860256112c

  • SHA1

    97a4fe6b145be13d9679da69c10711f8e825c6f8

  • SHA256

    5d7794808b4b21290ade85cdf843994b685623fdeec4c2f18ecb51e1c8cfb9bd

  • SHA512

    fd3e3ba8140311e0821d31822dfaea811852a208218dda043fd5fa90b4a33c1b716d5ec04bc186f3d516b1567f766dbb55d8954a695be0b3f49aaebe0097d99f

  • SSDEEP

    6144:rkwW3ekoyTrZXdWG2si5EZ8/bolZQbs+9sSS:Q3dbIGNOXosbs+91S

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Targets

    • Target

      Payment Advice Note from 20.12.2022.exe

    • Size

      227KB

    • MD5

      72716594f35f6ba3e5c693860256112c

    • SHA1

      97a4fe6b145be13d9679da69c10711f8e825c6f8

    • SHA256

      5d7794808b4b21290ade85cdf843994b685623fdeec4c2f18ecb51e1c8cfb9bd

    • SHA512

      fd3e3ba8140311e0821d31822dfaea811852a208218dda043fd5fa90b4a33c1b716d5ec04bc186f3d516b1567f766dbb55d8954a695be0b3f49aaebe0097d99f

    • SSDEEP

      6144:rkwW3ekoyTrZXdWG2si5EZ8/bolZQbs+9sSS:Q3dbIGNOXosbs+91S

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks