General

  • Target

    Doc_230125.xlsx

  • Size

    644KB

  • Sample

    230125-mkc55sfg28

  • MD5

    be7a9bc01cfea694a22d463ec14e7e3b

  • SHA1

    1bc1b452bb230be5d4a51484ff4f2771f3792619

  • SHA256

    8d9987b12667c1d3cfd71161c7d18fe4b152557157bed38264120baa49b184be

  • SHA512

    e9543b207f84a9f2cd7f3b8f2c521e7dba9bef53e2d5439993e78d1596f737415f0bf1d82e2f5d4201206c2071a1661da901fbc60d54a3c6d1ecb50da47c0a38

  • SSDEEP

    12288:frxQKDBSm3Wn/xyqZ8/uZv7Ddv4s00jN5jLelzGpEXiqYGwTtfOjOzVcV:tDn3Wn/sqH7Ddgs00/qlYEyLTAi2

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Targets

    • Target

      Doc_230125.xlsx

    • Size

      644KB

    • MD5

      be7a9bc01cfea694a22d463ec14e7e3b

    • SHA1

      1bc1b452bb230be5d4a51484ff4f2771f3792619

    • SHA256

      8d9987b12667c1d3cfd71161c7d18fe4b152557157bed38264120baa49b184be

    • SHA512

      e9543b207f84a9f2cd7f3b8f2c521e7dba9bef53e2d5439993e78d1596f737415f0bf1d82e2f5d4201206c2071a1661da901fbc60d54a3c6d1ecb50da47c0a38

    • SSDEEP

      12288:frxQKDBSm3Wn/xyqZ8/uZv7Ddv4s00jN5jLelzGpEXiqYGwTtfOjOzVcV:tDn3Wn/sqH7Ddgs00/qlYEyLTAi2

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks