formbook | 758babb4a9a5fe4b8c01249407865b66d21151853ef0d89cbcdb5c4094381c27 | Triage

Submit
Reports

Overview

overview

Static

static

1

822e04d019...2.xlsx

windows7-x64

822e04d019...2.xlsx

windows10-2004-x64

1

Sharing

General

Target

822e04d01976758fde626715bc7088a2.xlsx
Size

873KB
Sample

230220-lssecsae26
MD5

822e04d01976758fde626715bc7088a2
SHA1

a5207fd96dc218a708320e10e4a5d80a015c9ec3
SHA256

758babb4a9a5fe4b8c01249407865b66d21151853ef0d89cbcdb5c4094381c27
SHA512

0504673b260deb984a2d939016b6219e979c6365d4fcf13aa11f3082e0c33d022b7a814187de45ac165186a525f6bb0212206e53ab33e603ede38538d9797397
SSDEEP

24576:EQewRaHQt/yAlrf1bFR/Dh1uxNgDTAOl+lD+DjDwZtRV:EMgHQtD3PwGNQ+DjsZt7

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

822e04d01976758fde626715bc7088a2.xlsx

Resource

win7-20220812-en

formbook xloader poub loader persistence rat spyware stealer trojan

windows7-x64

25 signatures

150 seconds

Behavioral task

behavioral2

Sample

822e04d01976758fde626715bc7088a2.xlsx

Resource

win10v2004-20220901-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Muif0yE4CQN1VOs=

VEt6//SsIukFo46EOTs=

Z8su52MYL67C

usDwuHRs8/KlWg==

idmltXXu7XAgHLE/UPTcjw==

QPrxO2shWNiGexGboHDSRqBQ1TBd

hq9rqBND8/KlWg==

QS9iHFx08/KlWg==

v1soVFoThEdt/B/dK0v4+6Wb

7rqJytN13KKAQEW7

OWbeN2SDJwonsI6EOTs=

aqQrrKZDm16GMlAtvxavW1Cf

imnEZWIEbC4M8Q+i

Bry3oQg5+6ZaUNxzwg==

B3vYmyxPQS5XYvmCsqQXX8X948Zf

KbGBmwwCyKTKsUcRUNN6CD61aw==

2WpDae4P+W4cdqc8kPBcjqg0wS1X

MvkZLPRY25jI

Alr0VZGxYxG3dR/zSNjBhQ==

ZJkdjczlrF+8l0Os

dcmMkFm+QhFD4OM=

fMdUrd4J1n4mmWElww==

Gat+k1fHg11vTQ==

sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=

CjvGRTnXOhtN6QSNxhmvW1Cf

CpHvP2VSxaKAQEW7

qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==

GNVP4yIy8/KlWg==

pqfVAERhYxN7YPM=

9nS5b/AGCpZNAfZj1A==

a3GcpSND8/KlWg==

fin6NmQXayreIOrzPyw=

EjdROfeTsDPVH+rzPyw=

DO4xD8nURBwM8Q+i

+p/LQHFh0KOAQEW7

iNos10QpwjvjvFrXJYtYFiuHdA==

SX//aFP4Yi5T6NbcKQr07J6e

2NKh0dNr52sTdH4OSNjBhQ==

ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=

oXmlavAJ+3IbFbl3Gm4H+iKG

ijjWRYCaXiTcigreSNjBhQ==

ZqpH49I4XPu1k+rzPyw=

ZZUh+4FrrBbKukgJWoeuFzY=

lLnTxHn7rq/W9G8rzjsgCnyBYw==

drzjup.space

Targets

- Target
  
  822e04d01976758fde626715bc7088a2.xlsx
- Size
  
  873KB
- MD5
  
  822e04d01976758fde626715bc7088a2
- SHA1
  
  a5207fd96dc218a708320e10e4a5d80a015c9ec3
- SHA256
  
  758babb4a9a5fe4b8c01249407865b66d21151853ef0d89cbcdb5c4094381c27
- SHA512
  
  0504673b260deb984a2d939016b6219e979c6365d4fcf13aa11f3082e0c33d022b7a814187de45ac165186a525f6bb0212206e53ab33e603ede38538d9797397
- SSDEEP
  
  24576:EQewRaHQt/yAlrf1bFR/Dh1uxNgDTAOl+lD+DjDwZtRV:EMgHQtD3PwGNQ+DjsZt7
Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxloaderpoubloaderpersistenceratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy