formbook | f5ae9ee403c63e78514c23cdb6297c09a5367c241f6151def5fe1fc096946de4 | Triage

Sharing

General

Target

Invoice NO 22073895.exe
Size

422KB
Sample

230111-k964eafe9w
MD5

dee7396305b42cf03353059427ef8338
SHA1

656b2744eed942b4a4659d73813e3bebe704eb5a
SHA256

f5ae9ee403c63e78514c23cdb6297c09a5367c241f6151def5fe1fc096946de4
SHA512

d7b0a4e2f1478272dad605f92137e6cc649d3ffbee6e27710d290c4983a22d3e7bf8f3117c3e3b76c9044cc00e0503f9061454a2faa3d2651fb56323330f4159
SSDEEP

6144:oYa63qgvG1/xZGA3iCc34BJ8/BL7jYaMRHajFvC/H2wGy1JBq6Ou:oYNnvKHyx2J8xQvVa4/HBGy1Xr

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Targets

- Target
  
  Invoice NO 22073895.exe
- Size
  
  422KB
- MD5
  
  dee7396305b42cf03353059427ef8338
- SHA1
  
  656b2744eed942b4a4659d73813e3bebe704eb5a
- SHA256
  
  f5ae9ee403c63e78514c23cdb6297c09a5367c241f6151def5fe1fc096946de4
- SHA512
  
  d7b0a4e2f1478272dad605f92137e6cc649d3ffbee6e27710d290c4983a22d3e7bf8f3117c3e3b76c9044cc00e0503f9061454a2faa3d2651fb56323330f4159
- SSDEEP
  
  6144:oYa63qgvG1/xZGA3iCc34BJ8/BL7jYaMRHajFvC/H2wGy1JBq6Ou:oYNnvKHyx2J8xQvVa4/HBGy1Xr
Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookxloaderpoubloaderpersistenceratspywarestealertrojan

behavioral2

formbookxloaderpoubloaderpersistenceratspywarestealertrojan