General

  • Target

    44ff207640bbc0f8e26c8107eff9e833855e423bdf5807cd984a4c29280d000d.exe

  • Size

    238KB

  • Sample

    230106-ry5jrsce8z

  • MD5

    a5ec1b4efda3e05a43d9c6dab3ccc4a2

  • SHA1

    2a4d2c1d0f81a84dca80def53b14e4abc13aaf4f

  • SHA256

    44ff207640bbc0f8e26c8107eff9e833855e423bdf5807cd984a4c29280d000d

  • SHA512

    207983c374065b8d00ff8af546196607df659dab6588af0bde8939876086f7df14dc758c07b5a45bd800d53272d7a60c4a8ecb30e4f519b0b5feff5139c5ea65

  • SSDEEP

    6144:QBn1DvF4M1wfKlMdnsvgLNoqtt56q5Gk6ZiY+gXZPh5Cmfv:gDyM1wf4MdsvgLNBGlZijgXZCMv

Malware Config

Extracted

Family

formbook

Campaign

e97n

Decoy

4Xbmlf4Wz55x7dBOEmtQyFwtSps=

OLp2RsYukIPkITxtccwv2fe5

f1MAs8NA5LUmq7OyfvI=

gFqE4kIySuWHjVrs

QeIIp+JSHO+5DeZbJLcHvVwtSps=

6aE2SCTfXCyOldv+2Ei/5wjfQBFoMxof

nxcqgQLKSwuf/LOyfvI=

Sf+semqUcO2HjVrs

Ft2Jqlk96tet/rOyfvI=

Q8A89YVLuGz5Pe1TFRJyKw==

5qFKEn+IST4aXvnsZX2o0Kk=

wo0yVAbvDEjvH+F1OLUGvVwtSps=

H/I+vwAeCDs+jPtWAC+uUaE=

M+Whsueg7XkSqp80OXfElLY=

Yt1RU/floa+TstxEvg==

jPfgICXIBIjqRjPDmv8v2fe5

17iFkU9JCrMHHoCiPH/ewu0sCVfyQw==

qx8QmzUAiVfnINpTFRJyKw==

exm9h/H8tpOaz4/Z5EY4

uF8D4ldjazE6xw==

Extracted

Family

xloader

Version

3.Æ…

Campaign

e97n

Decoy

4Xbmlf4Wz55x7dBOEmtQyFwtSps=

OLp2RsYukIPkITxtccwv2fe5

f1MAs8NA5LUmq7OyfvI=

gFqE4kIySuWHjVrs

QeIIp+JSHO+5DeZbJLcHvVwtSps=

6aE2SCTfXCyOldv+2Ei/5wjfQBFoMxof

nxcqgQLKSwuf/LOyfvI=

Sf+semqUcO2HjVrs

Ft2Jqlk96tet/rOyfvI=

Q8A89YVLuGz5Pe1TFRJyKw==

5qFKEn+IST4aXvnsZX2o0Kk=

wo0yVAbvDEjvH+F1OLUGvVwtSps=

H/I+vwAeCDs+jPtWAC+uUaE=

M+Whsueg7XkSqp80OXfElLY=

Yt1RU/floa+TstxEvg==

jPfgICXIBIjqRjPDmv8v2fe5

17iFkU9JCrMHHoCiPH/ewu0sCVfyQw==

qx8QmzUAiVfnINpTFRJyKw==

exm9h/H8tpOaz4/Z5EY4

uF8D4ldjazE6xw==

Targets

    • Target

      44ff207640bbc0f8e26c8107eff9e833855e423bdf5807cd984a4c29280d000d.exe

    • Size

      238KB

    • MD5

      a5ec1b4efda3e05a43d9c6dab3ccc4a2

    • SHA1

      2a4d2c1d0f81a84dca80def53b14e4abc13aaf4f

    • SHA256

      44ff207640bbc0f8e26c8107eff9e833855e423bdf5807cd984a4c29280d000d

    • SHA512

      207983c374065b8d00ff8af546196607df659dab6588af0bde8939876086f7df14dc758c07b5a45bd800d53272d7a60c4a8ecb30e4f519b0b5feff5139c5ea65

    • SSDEEP

      6144:QBn1DvF4M1wfKlMdnsvgLNoqtt56q5Gk6ZiY+gXZPh5Cmfv:gDyM1wf4MdsvgLNBGlZijgXZCMv

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks