formbook | 084b97b355d56cc5218df3154cb1a30469b9c491f7e2c25afe2cd3dc138fba22 | Triage

Submit
Reports

Overview

overview

Static

static

Doc_230130.xlsx

windows7-x64

Doc_230130.xlsx

windows10-2004-x64

1

Sharing

General

Target

Doc_230130.xlsx.zip
Size

700KB
Sample

230130-lyt55shh94
MD5

d527d61a03fb335f1e857e20668f10f4
SHA1

9aa84ed97c1303219448552a7251efa1f1fdfdcd
SHA256

084b97b355d56cc5218df3154cb1a30469b9c491f7e2c25afe2cd3dc138fba22
SHA512

f4fc76b18920490f594facb7d7224827a6c0b5dbc1ce9971d479b25440f1ab074eb3737e7c4201627ab17ccb7cf71eac992dfe72d93bc7324824c7b4aec065e7
SSDEEP

12288:+PA07QBQuIEy/y+yH3zF/rnE2e62itIXh5VNTQWqgdvz+4fMzylWxDv4ozDB1m:+IwQPIB+Dn6i25LTbqgdvz9qMozl1m

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Doc_230130.xlsx

Resource

win7-20221111-en

formbook xloader poub loader persistence rat spyware stealer trojan

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

Doc_230130.xlsx

Resource

win10v2004-20221111-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Muif0yE4CQN1VOs=

VEt6//SsIukFo46EOTs=

Z8su52MYL67C

usDwuHRs8/KlWg==

idmltXXu7XAgHLE/UPTcjw==

QPrxO2shWNiGexGboHDSRqBQ1TBd

hq9rqBND8/KlWg==

QS9iHFx08/KlWg==

v1soVFoThEdt/B/dK0v4+6Wb

7rqJytN13KKAQEW7

OWbeN2SDJwonsI6EOTs=

aqQrrKZDm16GMlAtvxavW1Cf

imnEZWIEbC4M8Q+i

Bry3oQg5+6ZaUNxzwg==

B3vYmyxPQS5XYvmCsqQXX8X948Zf

KbGBmwwCyKTKsUcRUNN6CD61aw==

2WpDae4P+W4cdqc8kPBcjqg0wS1X

MvkZLPRY25jI

Alr0VZGxYxG3dR/zSNjBhQ==

ZJkdjczlrF+8l0Os

dcmMkFm+QhFD4OM=

fMdUrd4J1n4mmWElww==

Gat+k1fHg11vTQ==

sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=

CjvGRTnXOhtN6QSNxhmvW1Cf

CpHvP2VSxaKAQEW7

qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==

GNVP4yIy8/KlWg==

pqfVAERhYxN7YPM=

9nS5b/AGCpZNAfZj1A==

a3GcpSND8/KlWg==

fin6NmQXayreIOrzPyw=

EjdROfeTsDPVH+rzPyw=

DO4xD8nURBwM8Q+i

+p/LQHFh0KOAQEW7

iNos10QpwjvjvFrXJYtYFiuHdA==

SX//aFP4Yi5T6NbcKQr07J6e

2NKh0dNr52sTdH4OSNjBhQ==

ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=

oXmlavAJ+3IbFbl3Gm4H+iKG

ijjWRYCaXiTcigreSNjBhQ==

ZqpH49I4XPu1k+rzPyw=

ZZUh+4FrrBbKukgJWoeuFzY=

lLnTxHn7rq/W9G8rzjsgCnyBYw==

drzjup.space

Targets

- Target
  
  Doc_230130.xlsx
- Size
  
  702KB
- MD5
  
  d580807d4ec90e4abef17b0b89bc6ca3
- SHA1
  
  5051e0df1c94942a5c911f15d4d4b9d3b7252939
- SHA256
  
  3d120d5932768adbbae1ebe3a10396f58808d5f586b72f5a22b623214ea1830d
- SHA512
  
  98535ead563d472a600f5aebffb3b74491cfd8b22d4e8b4ab5b2aa4f9cf71b460d54443b03c1f14e2452e44069ed9d2f63723091e24d2ed14f788800bd093d15
- SSDEEP
  
  12288:wmpPU4JAXM6skUcuV6573iOux7bd9lkMszTpCrnQ4X8WGgIwS8+/zSnyDI:jfKikUcTxi5d9cpkQ4JL7q730
Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderpoubloaderpersistenceratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy