General

  • Target

    b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf

  • Size

    262KB

  • Sample

    230131-qec5qsge27

  • MD5

    512fcd3048ecc3311759e82e00c9888d

  • SHA1

    be45965664140ed3a03236605f4b8c9ed7bfcc47

  • SHA256

    b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf

  • SHA512

    1faac492c0a7fa1744c5a70b506d0b1d1e950c03b00e5a152bbe4a6ccb2237f6bb8ef6035839e1d976e1f228da2f0f1c1c4dec3d4f82bbc35659fe60e0625034

  • SSDEEP

    6144:/Ya6Wa8RQeZcz5jHeU1NNWGYugdRUPmzDq9I+H:/YoaKcz5HeeNcGFgdRUGm95H

Malware Config

Extracted

Family

formbook

Campaign

u8ow

Decoy

uzhDDUNgg10rOh8rkUMGYiLuNnRWl9gwMQ==

bfkA4IUaSgYi7IA=

ezX5yHeR21O3h2RCgQ==

x3E4ntHeLMGQm0kdTi6PJtjOVS6Em8UaKA==

xJuAYwcZLAfqrVazWjvkirgFxDSf

qrGugLdannLYegX5dCtFMA==

i61nMddueAYi7IA=

RoNMKNhtdDWpeiYoaB37TPiHTLo=

RFj3UHHrDtAktSZhYku36opnsaMbNA==

lx0g+6RPl4jwwNPRPuTD

MyEQ4oGk6vXrMM4V

0IVWH0rfKe1J4nn6J9XB

SYVlN3Zrnq2OaWpDiQ==

fNa0jy3P8KQK25rpmwqd0t8=

UZuSZpW+9ffX9KXzmgqd0t8=

Vxf85YCWvYNZjkcDdCtFMA==

0gG1EzLP7/DrMM4V

WExRGVAEE6YS5tJkTxMhR636+A==

6Tv7U4QdURt1KUI+gw==

ooR7RXgsXPtaEutnaQ3efjIXmfJePavzIA==

Targets

    • Target

      b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf

    • Size

      262KB

    • MD5

      512fcd3048ecc3311759e82e00c9888d

    • SHA1

      be45965664140ed3a03236605f4b8c9ed7bfcc47

    • SHA256

      b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf

    • SHA512

      1faac492c0a7fa1744c5a70b506d0b1d1e950c03b00e5a152bbe4a6ccb2237f6bb8ef6035839e1d976e1f228da2f0f1c1c4dec3d4f82bbc35659fe60e0625034

    • SSDEEP

      6144:/Ya6Wa8RQeZcz5jHeU1NNWGYugdRUPmzDq9I+H:/YoaKcz5HeeNcGFgdRUGm95H

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks