Triage | Malware sandboxing report by Hatching Triage

Submit
Reports

Overview

overview

Static

static

Doc_230125.xlsx

windows7-x64

Doc_230125.xlsx

windows10-2004-x64

1

Sharing

General

Target

Doc_230125.xlsx
Size

644KB
Sample

230125-mkjypafg32
MD5

be7a9bc01cfea694a22d463ec14e7e3b
SHA1

1bc1b452bb230be5d4a51484ff4f2771f3792619
SHA256

8d9987b12667c1d3cfd71161c7d18fe4b152557157bed38264120baa49b184be
SHA512

e9543b207f84a9f2cd7f3b8f2c521e7dba9bef53e2d5439993e78d1596f737415f0bf1d82e2f5d4201206c2071a1661da901fbc60d54a3c6d1ecb50da47c0a38
SSDEEP

12288:frxQKDBSm3Wn/xyqZ8/uZv7Ddv4s00jN5jLelzGpEXiqYGwTtfOjOzVcV:tDn3Wn/sqH7Ddgs00/qlYEyLTAi2

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Doc_230125.xlsx

Resource

win7-20220812-en

formbook xloader poub loader persistence rat spyware stealer trojan

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

Doc_230125.xlsx

Resource

win10v2004-20221111-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Muif0yE4CQN1VOs=

VEt6//SsIukFo46EOTs=

Z8su52MYL67C

usDwuHRs8/KlWg==

idmltXXu7XAgHLE/UPTcjw==

QPrxO2shWNiGexGboHDSRqBQ1TBd

hq9rqBND8/KlWg==

QS9iHFx08/KlWg==

v1soVFoThEdt/B/dK0v4+6Wb

7rqJytN13KKAQEW7

OWbeN2SDJwonsI6EOTs=

aqQrrKZDm16GMlAtvxavW1Cf

imnEZWIEbC4M8Q+i

Bry3oQg5+6ZaUNxzwg==

B3vYmyxPQS5XYvmCsqQXX8X948Zf

KbGBmwwCyKTKsUcRUNN6CD61aw==

2WpDae4P+W4cdqc8kPBcjqg0wS1X

MvkZLPRY25jI

Alr0VZGxYxG3dR/zSNjBhQ==

ZJkdjczlrF+8l0Os

dcmMkFm+QhFD4OM=

fMdUrd4J1n4mmWElww==

Gat+k1fHg11vTQ==

sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=

CjvGRTnXOhtN6QSNxhmvW1Cf

CpHvP2VSxaKAQEW7

qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==

GNVP4yIy8/KlWg==

pqfVAERhYxN7YPM=

9nS5b/AGCpZNAfZj1A==

a3GcpSND8/KlWg==

fin6NmQXayreIOrzPyw=

EjdROfeTsDPVH+rzPyw=

DO4xD8nURBwM8Q+i

+p/LQHFh0KOAQEW7

iNos10QpwjvjvFrXJYtYFiuHdA==

SX//aFP4Yi5T6NbcKQr07J6e

2NKh0dNr52sTdH4OSNjBhQ==

ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=

oXmlavAJ+3IbFbl3Gm4H+iKG

ijjWRYCaXiTcigreSNjBhQ==

ZqpH49I4XPu1k+rzPyw=

ZZUh+4FrrBbKukgJWoeuFzY=

lLnTxHn7rq/W9G8rzjsgCnyBYw==

drzjup.space

Targets

- Target
  
  Doc_230125.xlsx
- Size
  
  644KB
- MD5
  
  be7a9bc01cfea694a22d463ec14e7e3b
- SHA1
  
  1bc1b452bb230be5d4a51484ff4f2771f3792619
- SHA256
  
  8d9987b12667c1d3cfd71161c7d18fe4b152557157bed38264120baa49b184be
- SHA512
  
  e9543b207f84a9f2cd7f3b8f2c521e7dba9bef53e2d5439993e78d1596f737415f0bf1d82e2f5d4201206c2071a1661da901fbc60d54a3c6d1ecb50da47c0a38
- SSDEEP
  
  12288:frxQKDBSm3Wn/xyqZ8/uZv7Ddv4s00jN5jLelzGpEXiqYGwTtfOjOzVcV:tDn3Wn/sqH7Ddgs00/qlYEyLTAi2
Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderpoubloaderpersistenceratspywarestealertrojan

behavioral2

© 2018-2023

Terms | Privacy