formbook | cde343d0c07a0fa310a05434efafe274503dc0a5ba64bd9fdff873301ddbb5ed | Triage

Sharing

General

Target

cde343d0c07a0fa310a05434efafe274503dc0a5ba64bd9fdff873301ddbb5ed
Size

355KB
Sample

230207-ksq1vsdg7x
MD5

c71d6374ee14811b90b888115a68ee38
SHA1

69647456d522067f625d2a4f3f52e438632d4778
SHA256

cde343d0c07a0fa310a05434efafe274503dc0a5ba64bd9fdff873301ddbb5ed
SHA512

0ed2d26d2fc335a497dbb7fd9aa541a332a71f0fa85e68d47c98de2eb8c47545c966d56c7eaf13fcccd74ec04833649548c94eea89ed4bf3ff2277395a815c6a
SSDEEP

6144:PYa6m1XaVqcQOGYiZ07ohfxdAcI6d0xzs5UzoiOVcFnzVPk32BXbi+lIAZoEN8Qp:PYYQNGxdfbI6wzKRiuiz1k32BL56qNd

Score

10^/10

formbook xloader u8ow loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

u8ow

Decoy

uzhDDUNgg10rOh8rkUMGYiLuNnRWl9gwMQ==

bfkA4IUaSgYi7IA=

ezX5yHeR21O3h2RCgQ==

x3E4ntHeLMGQm0kdTi6PJtjOVS6Em8UaKA==

xJuAYwcZLAfqrVazWjvkirgFxDSf

qrGugLdannLYegX5dCtFMA==

i61nMddueAYi7IA=

RoNMKNhtdDWpeiYoaB37TPiHTLo=

RFj3UHHrDtAktSZhYku36opnsaMbNA==

lx0g+6RPl4jwwNPRPuTD

MyEQ4oGk6vXrMM4V

0IVWH0rfKe1J4nn6J9XB

SYVlN3Zrnq2OaWpDiQ==

fNa0jy3P8KQK25rpmwqd0t8=

UZuSZpW+9ffX9KXzmgqd0t8=

Vxf85YCWvYNZjkcDdCtFMA==

0gG1EzLP7/DrMM4V

WExRGVAEE6YS5tJkTxMhR636+A==

6Tv7U4QdURt1KUI+gw==

ooR7RXgsXPtaEutnaQ3efjIXmfJePavzIA==

Targets

- Target
  
  cde343d0c07a0fa310a05434efafe274503dc0a5ba64bd9fdff873301ddbb5ed
- Size
  
  355KB
- MD5
  
  c71d6374ee14811b90b888115a68ee38
- SHA1
  
  69647456d522067f625d2a4f3f52e438632d4778
- SHA256
  
  cde343d0c07a0fa310a05434efafe274503dc0a5ba64bd9fdff873301ddbb5ed
- SHA512
  
  0ed2d26d2fc335a497dbb7fd9aa541a332a71f0fa85e68d47c98de2eb8c47545c966d56c7eaf13fcccd74ec04833649548c94eea89ed4bf3ff2277395a815c6a
- SSDEEP
  
  6144:PYa6m1XaVqcQOGYiZ07ohfxdAcI6d0xzs5UzoiOVcFnzVPk32BXbi+lIAZoEN8Qp:PYYQNGxdfbI6wzKRiuiz1k32BL56qNd
Score

10^/10

formbook xloader u8ow loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderu8owloaderpersistenceratspywarestealertrojan