General

  • Target

    8b37c8c2c2beefd373d98526c700109a.exe

  • Size

    228KB

  • Sample

    230127-nz6axaad24

  • MD5

    8b37c8c2c2beefd373d98526c700109a

  • SHA1

    e5acac1ffd8ced2e30313a0e93129524dd91c952

  • SHA256

    64a8c9065258f70f7567b5d52da2738c6e63580cc64a95273b454f45addf50f5

  • SHA512

    f41ff902b633f2119c584290f3089922a828d546b1a484659225d2426c70f961993e305c911896d1abf738d87bfcd31dc51d18b1d9e692099d74644e6b2963eb

  • SSDEEP

    6144:/Ya6qkxtNGqZnjsvzTXRDK6wgQ7js0YXQzf8PWFJMNXYSZm3k:/YUkEqZQH9KJgis0uRYSYk

Malware Config

Extracted

Family

formbook

Campaign

u8ow

Decoy

uzhDDUNgg10rOh8rkUMGYiLuNnRWl9gwMQ==

bfkA4IUaSgYi7IA=

ezX5yHeR21O3h2RCgQ==

x3E4ntHeLMGQm0kdTi6PJtjOVS6Em8UaKA==

xJuAYwcZLAfqrVazWjvkirgFxDSf

qrGugLdannLYegX5dCtFMA==

i61nMddueAYi7IA=

RoNMKNhtdDWpeiYoaB37TPiHTLo=

RFj3UHHrDtAktSZhYku36opnsaMbNA==

lx0g+6RPl4jwwNPRPuTD

MyEQ4oGk6vXrMM4V

0IVWH0rfKe1J4nn6J9XB

SYVlN3Zrnq2OaWpDiQ==

fNa0jy3P8KQK25rpmwqd0t8=

UZuSZpW+9ffX9KXzmgqd0t8=

Vxf85YCWvYNZjkcDdCtFMA==

0gG1EzLP7/DrMM4V

WExRGVAEE6YS5tJkTxMhR636+A==

6Tv7U4QdURt1KUI+gw==

ooR7RXgsXPtaEutnaQ3efjIXmfJePavzIA==

Targets

    • Target

      8b37c8c2c2beefd373d98526c700109a.exe

    • Size

      228KB

    • MD5

      8b37c8c2c2beefd373d98526c700109a

    • SHA1

      e5acac1ffd8ced2e30313a0e93129524dd91c952

    • SHA256

      64a8c9065258f70f7567b5d52da2738c6e63580cc64a95273b454f45addf50f5

    • SHA512

      f41ff902b633f2119c584290f3089922a828d546b1a484659225d2426c70f961993e305c911896d1abf738d87bfcd31dc51d18b1d9e692099d74644e6b2963eb

    • SSDEEP

      6144:/Ya6qkxtNGqZnjsvzTXRDK6wgQ7js0YXQzf8PWFJMNXYSZm3k:/YUkEqZQH9KJgis0uRYSYk

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks