General

  • Target

    tmp

  • Size

    249KB

  • Sample

    230127-ppaxpabh4v

  • MD5

    43d4d189e3a454af9ec3a8eb52950229

  • SHA1

    0318519523ceb8e1336519f864fbaa4836c7bb0b

  • SHA256

    175cb0ef969196bf7f303ea574bf8bfec879e6fbdf29cdb62cf325c1788e8866

  • SHA512

    efd2542533a9351fbde8c662437a9cb9e6fa42dbc96442e3d498056a470e6f40797f30d44a3f08b363839cb623a8d32d7294ab80bb16619179281a04d4da4e64

  • SSDEEP

    6144:/Ya60JwnxUpL0uzKDDT8ivn9q4p2lEtW0hlYScRcG:/YqYOpL0Oq4ivnE4s+96ScRcG

Malware Config

Extracted

Family

formbook

Campaign

u8ow

Decoy

uzhDDUNgg10rOh8rkUMGYiLuNnRWl9gwMQ==

bfkA4IUaSgYi7IA=

ezX5yHeR21O3h2RCgQ==

x3E4ntHeLMGQm0kdTi6PJtjOVS6Em8UaKA==

xJuAYwcZLAfqrVazWjvkirgFxDSf

qrGugLdannLYegX5dCtFMA==

i61nMddueAYi7IA=

RoNMKNhtdDWpeiYoaB37TPiHTLo=

RFj3UHHrDtAktSZhYku36opnsaMbNA==

lx0g+6RPl4jwwNPRPuTD

MyEQ4oGk6vXrMM4V

0IVWH0rfKe1J4nn6J9XB

SYVlN3Zrnq2OaWpDiQ==

fNa0jy3P8KQK25rpmwqd0t8=

UZuSZpW+9ffX9KXzmgqd0t8=

Vxf85YCWvYNZjkcDdCtFMA==

0gG1EzLP7/DrMM4V

WExRGVAEE6YS5tJkTxMhR636+A==

6Tv7U4QdURt1KUI+gw==

ooR7RXgsXPtaEutnaQ3efjIXmfJePavzIA==

Targets

    • Target

      tmp

    • Size

      249KB

    • MD5

      43d4d189e3a454af9ec3a8eb52950229

    • SHA1

      0318519523ceb8e1336519f864fbaa4836c7bb0b

    • SHA256

      175cb0ef969196bf7f303ea574bf8bfec879e6fbdf29cdb62cf325c1788e8866

    • SHA512

      efd2542533a9351fbde8c662437a9cb9e6fa42dbc96442e3d498056a470e6f40797f30d44a3f08b363839cb623a8d32d7294ab80bb16619179281a04d4da4e64

    • SSDEEP

      6144:/Ya60JwnxUpL0uzKDDT8ivn9q4p2lEtW0hlYScRcG:/YqYOpL0Oq4ivnE4s+96ScRcG

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks