Overview

overview

10

Static

static

Doc_230127.xlsx

windows7-x64

10

Doc_230127.xlsx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Doc_230127.xlsx

  • Size

    751KB

  • Sample

    230127-m9gjvsbg4s

  • MD5

    223722998eedb55be29303871403d229

  • SHA1

    c77a66ba6b49f19471eed470c7ab13c9574ec5e5

  • SHA256

    c59569a4dcfea9baca6013c1abdc304577907e8cc1659fc8df93d6bb48129845

  • SHA512

    b22c9c6f5ecfa2dbfa896eccc139c50a0424931b51db3a53088cd0c405a0c8f12f07240781a268bdb34adbfac43f07dfb5922efd3523c4fad714677e39687691

  • SSDEEP

    12288:seQslI5UMktTW6VV7PINexvXJzEiGGZb7s8pr7E8+qlPqX46lp6d+kWlM/:qY0k48IkNkGZbtZovqlPqJlp6QPM/

Score
10/10
formbookxloaderpoubloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Targets

    • Target

      Doc_230127.xlsx

    • Size

      751KB

    • MD5

      223722998eedb55be29303871403d229

    • SHA1

      c77a66ba6b49f19471eed470c7ab13c9574ec5e5

    • SHA256

      c59569a4dcfea9baca6013c1abdc304577907e8cc1659fc8df93d6bb48129845

    • SHA512

      b22c9c6f5ecfa2dbfa896eccc139c50a0424931b51db3a53088cd0c405a0c8f12f07240781a268bdb34adbfac43f07dfb5922efd3523c4fad714677e39687691

    • SSDEEP

      12288:seQslI5UMktTW6VV7PINexvXJzEiGGZb7s8pr7E8+qlPqX46lp6d+kWlM/:qY0k48IkNkGZbtZovqlPqJlp6QPM/

    Score
    10/10
    formbookxloaderpoubloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks