Malware sandboxing report by Hatching Triage

General

Target

Doc_230125.xlsx
Size

644KB
Sample

230125-mkjypafg32
MD5

be7a9bc01cfea694a22d463ec14e7e3b
SHA1

1bc1b452bb230be5d4a51484ff4f2771f3792619
SHA256

8d9987b12667c1d3cfd71161c7d18fe4b152557157bed38264120baa49b184be
SHA512

e9543b207f84a9f2cd7f3b8f2c521e7dba9bef53e2d5439993e78d1596f737415f0bf1d82e2f5d4201206c2071a1661da901fbc60d54a3c6d1ecb50da47c0a38
SSDEEP

12288:frxQKDBSm3Wn/xyqZ8/uZv7Ddv4s00jN5jLelzGpEXiqYGwTtfOjOzVcV:tDn3Wn/sqH7Ddgs00/qlYEyLTAi2

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Targets

- Target
  
  Doc_230125.xlsx
- Size
  
  644KB
- MD5
  
  be7a9bc01cfea694a22d463ec14e7e3b
- SHA1
  
  1bc1b452bb230be5d4a51484ff4f2771f3792619
- SHA256
  
  8d9987b12667c1d3cfd71161c7d18fe4b152557157bed38264120baa49b184be
- SHA512
  
  e9543b207f84a9f2cd7f3b8f2c521e7dba9bef53e2d5439993e78d1596f737415f0bf1d82e2f5d4201206c2071a1661da901fbc60d54a3c6d1ecb50da47c0a38
- SSDEEP
  
  12288:frxQKDBSm3Wn/xyqZ8/uZv7Ddv4s00jN5jLelzGpEXiqYGwTtfOjOzVcV:tDn3Wn/sqH7Ddgs00/qlYEyLTAi2
Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exploitation for Client Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook

Xloader

Xloader payload

Adds policy Run key to start application

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2