Overview

overview

10

Static

static

January_or...84.xls

windows7-x64

10

January_or...84.xls

windows10-2004-x64

1

Resubmissions

19-01-2023 14:58

230119-scm82adc3w 10

19-01-2023 12:48

230119-p1r1cach6w 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    January_order_2003984.xls

  • Size

    90KB

  • Sample

    230119-p1r1cach6w

  • MD5

    96acef79802842edf68773128a180a2b

  • SHA1

    359dfa82346c95afbbc0fb3a2c473bcc3114b503

  • SHA256

    e0451a22f5f14b8ba7355eaf45912270b2e1a25a5cab15e113f7934de0feef6e

  • SHA512

    feff2df50eea580a74c2c8d51760f56cc2e74e5caf1895d7ac608bc9a056cb12e1a910290bd004499bacf5ce34d021c2c309545bb7262bd4be699bbde57a8287

  • SSDEEP

    1536:ykfZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAU+p7CkNWZ3c3M+pC3+pS12w+UpbuCV:RfZ+RwPONXoRjDhIcp0fDlaGGx+cL26J

Score
10/10
formbookxloaderdcn0loaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Extracted

Family

xloader

Version

3.�E

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Targets

    • Target

      January_order_2003984.xls

    • Size

      90KB

    • MD5

      96acef79802842edf68773128a180a2b

    • SHA1

      359dfa82346c95afbbc0fb3a2c473bcc3114b503

    • SHA256

      e0451a22f5f14b8ba7355eaf45912270b2e1a25a5cab15e113f7934de0feef6e

    • SHA512

      feff2df50eea580a74c2c8d51760f56cc2e74e5caf1895d7ac608bc9a056cb12e1a910290bd004499bacf5ce34d021c2c309545bb7262bd4be699bbde57a8287

    • SSDEEP

      1536:ykfZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAU+p7CkNWZ3c3M+pC3+pS12w+UpbuCV:RfZ+RwPONXoRjDhIcp0fDlaGGx+cL26J

    Score
    10/10
    formbookxloaderdcn0loaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks