General

  • Target

    d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c

  • Size

    330KB

  • Sample

    230125-yr6a2sae76

  • MD5

    58a93d1d064b9e8265ea798531adb0bf

  • SHA1

    d5e30f238fabd304d30ba2c726c71fb47765b494

  • SHA256

    d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c

  • SHA512

    c5e9c0e07ea8904a45011380836ff8f0b936954729df4fb18f62414322f5815ec8ebc5803729a13b783cf87a5bd723fc821405e3579e017c7b19059e57f76bfb

  • SSDEEP

    6144:PYa69K+mD7y0q2hhBCH4m6Qx8qQ5+/ucZiE2TZPwc7j0W6KmZE0HOkv/kBa:PYnUD71qc+6Q+qQuu/Tn396KmLDv/

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Targets

    • Target

      d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c

    • Size

      330KB

    • MD5

      58a93d1d064b9e8265ea798531adb0bf

    • SHA1

      d5e30f238fabd304d30ba2c726c71fb47765b494

    • SHA256

      d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c

    • SHA512

      c5e9c0e07ea8904a45011380836ff8f0b936954729df4fb18f62414322f5815ec8ebc5803729a13b783cf87a5bd723fc821405e3579e017c7b19059e57f76bfb

    • SSDEEP

      6144:PYa69K+mD7y0q2hhBCH4m6Qx8qQ5+/ucZiE2TZPwc7j0W6KmZE0HOkv/kBa:PYnUD71qc+6Q+qQuu/Tn396KmLDv/

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks