formbook | 6d4977cb739bd60eaf1bd6cea2258cf09a2aaab71a3646f8c055ba9fbc5db6f5 | Triage

Submit
Reports

Overview

overview

Static

static

1

6d4977cb73...5.xlsx

windows7-x64

6d4977cb73...5.xlsx

windows10-2004-x64

1

Sharing

General

Target

6d4977cb739bd60eaf1bd6cea2258cf09a2aaab71a3646f8c055ba9fbc5db6f5.xlsx
Size

896KB
Sample

230206-3q5qcagd82
MD5

eb5418b2d45b0f361fa93f01139871d0
SHA1

882c97f3fd9b406183e4ac01396ff41fabb2c1b3
SHA256

6d4977cb739bd60eaf1bd6cea2258cf09a2aaab71a3646f8c055ba9fbc5db6f5
SHA512

7aad6ed53af3b4f0d7f8da3dababe42cb48ca086bdc495ad5908ab74ee90e3dcc4f45a9b66d091241868aa21fa79b2578ee02ba9f46f4fc3ff53e4dedf068107
SSDEEP

24576:7oD1xqL1dePSHEwb2hvSiMBpVxYyUYbLQhCntqY:cD1xqLD7HNb2NMHVhUYbkhmqY

Score

10^/10

formbook xloader u8ow loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

6d4977cb739bd60eaf1bd6cea2258cf09a2aaab71a3646f8c055ba9fbc5db6f5.xlsx

Resource

win7-20221111-en

formbook xloader u8ow loader persistence rat spyware stealer trojan

windows7-x64

25 signatures

150 seconds

Behavioral task

behavioral2

Sample

6d4977cb739bd60eaf1bd6cea2258cf09a2aaab71a3646f8c055ba9fbc5db6f5.xlsx

Resource

win10v2004-20220901-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

u8ow

Decoy

uzhDDUNgg10rOh8rkUMGYiLuNnRWl9gwMQ==

bfkA4IUaSgYi7IA=

ezX5yHeR21O3h2RCgQ==

x3E4ntHeLMGQm0kdTi6PJtjOVS6Em8UaKA==

xJuAYwcZLAfqrVazWjvkirgFxDSf

qrGugLdannLYegX5dCtFMA==

i61nMddueAYi7IA=

RoNMKNhtdDWpeiYoaB37TPiHTLo=

RFj3UHHrDtAktSZhYku36opnsaMbNA==

lx0g+6RPl4jwwNPRPuTD

MyEQ4oGk6vXrMM4V

0IVWH0rfKe1J4nn6J9XB

SYVlN3Zrnq2OaWpDiQ==

fNa0jy3P8KQK25rpmwqd0t8=

UZuSZpW+9ffX9KXzmgqd0t8=

Vxf85YCWvYNZjkcDdCtFMA==

0gG1EzLP7/DrMM4V

WExRGVAEE6YS5tJkTxMhR636+A==

6Tv7U4QdURt1KUI+gw==

ooR7RXgsXPtaEutnaQ3efjIXmfJePavzIA==

kH1+agwHHalYZx6qIgfY

ZWt1Rm0DSQlnBqPfWQAc/tcr

cLCK7t168nLRaWpDiQ==

mhlxXnj4ae2oyA==

cNfFjLnZBAbktB6qIgfY

e4+aeK07RtRvyDdIwbTJ

zV1cO+x+pG5zGpk=

Chw2HE2XGN4+Cr/5oYw2qDok

DP/jRm13vb2eiYBXkQ==

Ma9RHLrYBdejyIc/Mg2d/8xWIqM=

VTo6X4LaHCfge/wU

sWUqRFyEF4620a0t2n8=

gFcKdpXTkQzrMM4V

OhMDz+2HrUeaOs/fJBHkCKz7+g==

VO2d9iU2Thf318SIwq0EOA==

e1ku/6K39wfJUusrm0vPx4XRqHIvPpc=

P+jz1DwdYV0=

bTf6X4eNo29HFZaYHIdgOg==

4T4u2HphcHA0

tbfJk7tho2DrMM4V

mN6i/Su4QgqJXCqCRzW3mzJHyrWX

zW04ErzqFdmbu79Rig==

ZmprSnkJRcl0JKT6J9XB

MpWLW5et5BoKKk+rm3c=

Zr2aZxK7/FrlpnRYlw==

0U3tR3qhsDuRX0ebnn0=

wwHLoEjfITb8VSKpjXQ=

U0tVJVTjQAYi7IA=

UhwL8pe04L+OaWpDiQ==

aopHm8x6r2frMM4V

Lmst/p5BnbN6FIkTOM8rEdc=

GE06CTdjgx+Q6ZIV2H8=

EEj/aJNAfnLggR7q56O3833n8g==

iNu4mEHQ21YCng0d

KDEzCTXL1lu2jm76J9XB

75FOp9va+5X90pMaWzhMstYm

dC3913qn0YlNK0+rm3c=

JdWkeCE2aH5uMqzDQikE2IVmsaMbNA==

DXRpMVx9wYHolAeOVjsokL9HyrWX

OhHhPWGIz5DefU+rm3c=

50M3F7hrlnBBTDLKumo4nMY=

Fqq41ivP9XMLaTycqZUCOA==

711EHcp3p3EnLk+rm3c=

LT/fL08ENi0Gi1dYk4bzMQ==

majorcaplanetary.com

Targets

- Target
  
  6d4977cb739bd60eaf1bd6cea2258cf09a2aaab71a3646f8c055ba9fbc5db6f5.xlsx
- Size
  
  896KB
- MD5
  
  eb5418b2d45b0f361fa93f01139871d0
- SHA1
  
  882c97f3fd9b406183e4ac01396ff41fabb2c1b3
- SHA256
  
  6d4977cb739bd60eaf1bd6cea2258cf09a2aaab71a3646f8c055ba9fbc5db6f5
- SHA512
  
  7aad6ed53af3b4f0d7f8da3dababe42cb48ca086bdc495ad5908ab74ee90e3dcc4f45a9b66d091241868aa21fa79b2578ee02ba9f46f4fc3ff53e4dedf068107
- SSDEEP
  
  24576:7oD1xqL1dePSHEwb2hvSiMBpVxYyUYbLQhCntqY:cD1xqLD7HNb2NMHVhUYbkhmqY
Score

10^/10

formbook xloader u8ow loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderu8owloaderpersistenceratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy