formbook | 13a743db77a54ff14ced8a949be8a503f65962cd7217155fd662481733c0316e | Triage

Submit
Reports

Overview

overview

Static

static

Invoice NO...95.exe

windows7-x64

Invoice NO...95.exe

windows10-2004-x64

Sharing

General

Target

Invoice NO 22073895.xz
Size

398KB
Sample

230110-q2csgsgc26
MD5

2aed2d73627ef548674c462fb6c8697f
SHA1

57fe4dcc4cd1a304e6f1c2c7d27ac462778f61ac
SHA256

13a743db77a54ff14ced8a949be8a503f65962cd7217155fd662481733c0316e
SHA512

590bbbcce0d8cdcded306c92a0dd68a4f4b140aad8aeb5c1ffd2e5f095e3810ebe1843ab621a9b602638d271dd6a8b689de14ffce268e3c8a731a382a8f5dd68
SSDEEP

12288:KaCI5jAS2vxqeZe5fh7NfdtLuCWtMiYz3aKC:3CI1n25qeZGfh7TwCW6iAqx

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Invoice NO 22073895.exe

Resource

win7-20221111-en

formbook xloader poub loader persistence rat spyware stealer trojan

windows7-x64

19 signatures

300 seconds

Behavioral task

behavioral2

Sample

Invoice NO 22073895.exe

Resource

win10v2004-20221111-en

formbook xloader poub loader persistence rat spyware stealer trojan

windows10-2004-x64

17 signatures

300 seconds

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Muif0yE4CQN1VOs=

VEt6//SsIukFo46EOTs=

Z8su52MYL67C

usDwuHRs8/KlWg==

idmltXXu7XAgHLE/UPTcjw==

QPrxO2shWNiGexGboHDSRqBQ1TBd

hq9rqBND8/KlWg==

QS9iHFx08/KlWg==

v1soVFoThEdt/B/dK0v4+6Wb

7rqJytN13KKAQEW7

OWbeN2SDJwonsI6EOTs=

aqQrrKZDm16GMlAtvxavW1Cf

imnEZWIEbC4M8Q+i

Bry3oQg5+6ZaUNxzwg==

B3vYmyxPQS5XYvmCsqQXX8X948Zf

KbGBmwwCyKTKsUcRUNN6CD61aw==

2WpDae4P+W4cdqc8kPBcjqg0wS1X

MvkZLPRY25jI

Alr0VZGxYxG3dR/zSNjBhQ==

ZJkdjczlrF+8l0Os

dcmMkFm+QhFD4OM=

fMdUrd4J1n4mmWElww==

Gat+k1fHg11vTQ==

sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=

CjvGRTnXOhtN6QSNxhmvW1Cf

CpHvP2VSxaKAQEW7

qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==

GNVP4yIy8/KlWg==

pqfVAERhYxN7YPM=

9nS5b/AGCpZNAfZj1A==

a3GcpSND8/KlWg==

fin6NmQXayreIOrzPyw=

EjdROfeTsDPVH+rzPyw=

DO4xD8nURBwM8Q+i

+p/LQHFh0KOAQEW7

iNos10QpwjvjvFrXJYtYFiuHdA==

SX//aFP4Yi5T6NbcKQr07J6e

2NKh0dNr52sTdH4OSNjBhQ==

ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=

oXmlavAJ+3IbFbl3Gm4H+iKG

ijjWRYCaXiTcigreSNjBhQ==

ZqpH49I4XPu1k+rzPyw=

ZZUh+4FrrBbKukgJWoeuFzY=

lLnTxHn7rq/W9G8rzjsgCnyBYw==

drzjup.space

Targets

- Target
  
  Invoice NO 22073895.exe
- Size
  
  486KB
- MD5
  
  85cd688a9fee95b88b94b6879039201f
- SHA1
  
  0843488b993fd26651cff415ac5a43c593defa25
- SHA256
  
  4d3261b30e45d9577916b421a9b829836e955a9be539866aa29d21aad01283c1
- SHA512
  
  9ed65a00f4e6c276b18778feac6140759ebbc159d15c4c20280ff13b1887c73ec4fc88a38abe0f8e0d75ec0e5a5acf82478472b761247bee1357d130bf80ab45
- SSDEEP
  
  12288:AYn68Ex+E5Z8kJqeKPMwwOfGo5KNfhtDuCytMi4zaaKL:AYn6DAEgIqecuo5KbsCy6igbG
Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderpoubloaderpersistenceratspywarestealertrojan

behavioral2

formbookxloaderpoubloaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy