General

  • Target

    ffd1f23d797e701acd68c6fafc43ee52.bin

  • Size

    214KB

  • Sample

    230117-kgsqbada82

  • MD5

    2b9caa2d11deea29583c3f060bfeb537

  • SHA1

    53487d9a9b9fa859e179b440f9b90c6921540f04

  • SHA256

    28775ce1bdb5ca7b38745997d9c843f3ff46143879a2cd9f9c5be68c0b238ceb

  • SHA512

    201e514987c7bf5b5ecdc90327a8314c2a3f03134ab9e6b4841f0f1c72b2ff91e404c4a65984c543241e68eca42e18d5d42c438c7ec979025856f4fac2b23679

  • SSDEEP

    6144:wpkqVBAclfjaA4hA9kOWByr5HDx15npNNsAV4UZB2v:0v94AkTItt159pb2v

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Targets

    • Target

      b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe

    • Size

      225KB

    • MD5

      ffd1f23d797e701acd68c6fafc43ee52

    • SHA1

      9d50d54229d7b5c77ef2ff5b2e8383d857a72c78

    • SHA256

      b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700

    • SHA512

      7ce85f0852546659ff88c74649885599926ad99705afa70403d8f925248c954350b4dec3383e0f9e0aa61ded75b13416dc217eae2064cb3992ed3a67e98b352c

    • SSDEEP

      6144:LkwmZ9d0kAbVgQgvIb3w/zpxuDee5rFrTFFkvyIu2:4Z30b8qARe5ZrTkvyk

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks