Overview

overview

10

Static

static

1

030d9daf75...98.exe

windows7-x64

10

030d9daf75...98.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.zip

  • Size

    448KB

  • Sample

    230308-pym9daab98

  • MD5

    ba822e3e7cadf20eb66225c791b7e960

  • SHA1

    8e94a5a47b97596691a04e9b2f71f77eed3372fa

  • SHA256

    cb16e5571d706a25a712bf52bb1b2a9c8ab2845a138e4328ddce71b5b95a59f9

  • SHA512

    8cfca981c65804f938e29439e734550af760bbe7f4a2d930369c50bb739534666bfa1640078e362c4ebb95ebcb5d61aeffb155f4e46b68c74682306b28d837e0

  • SSDEEP

    12288:AbMQl6u0lqGOti/7pX8LNT2GuTUobO4K9ve8WoUveg:wg4dU/tX6QGuTUoPZvkg

Score
10/10
formbookxloaderqsqmloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

qsqm

Decoy

gYI8BO7T7BQOBw==

5kKpX8NHT4cITCAOEkMYvi5HiMZ5

oq5lCVwFY9KNJipM

OiTOjWhDMXBf8H9o79k=

rSDHx5jqNn3Sz/LND/0G

ob6FSUE4NYUi5Iqg1YGfMg==

fI5oMbAC5EAeerSKKRM2PjF7TYJh

lmWieqE8QHg=

yLxwFWm+rbCJXqE=

MyY9R8VCSaAtEJY2MdHAXKY=

WYA53Ezjh808

EPu6bfMPNJUh

upyUkeqQ6B/FJyq2PCiwnZf/

RvN3e2hDLJQmo9qtZTVoRmPi

hZhWEObjh808

K1gowrFsO5p0UchTUEVoRmPi

7hXPaZ6i+F7o2L8OCCyhNA==

bIp+E/xrSG9QHA==

+EPrJAdvSG9QHA==

METFhoRGH1sBBWhAbA==

Extracted

Family

xloader

Version

3.Æ…

Campaign

qsqm

Decoy

gYI8BO7T7BQOBw==

5kKpX8NHT4cITCAOEkMYvi5HiMZ5

oq5lCVwFY9KNJipM

OiTOjWhDMXBf8H9o79k=

rSDHx5jqNn3Sz/LND/0G

ob6FSUE4NYUi5Iqg1YGfMg==

fI5oMbAC5EAeerSKKRM2PjF7TYJh

lmWieqE8QHg=

yLxwFWm+rbCJXqE=

MyY9R8VCSaAtEJY2MdHAXKY=

WYA53Ezjh808

EPu6bfMPNJUh

upyUkeqQ6B/FJyq2PCiwnZf/

RvN3e2hDLJQmo9qtZTVoRmPi

hZhWEObjh808

K1gowrFsO5p0UchTUEVoRmPi

7hXPaZ6i+F7o2L8OCCyhNA==

bIp+E/xrSG9QHA==

+EPrJAdvSG9QHA==

METFhoRGH1sBBWhAbA==

Targets

    • Target

      030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe

    • Size

      474KB

    • MD5

      dcb7eaa1fd51e975b67a3ed92509167a

    • SHA1

      528c5a4837a195707581724d408c809433f14a16

    • SHA256

      030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498

    • SHA512

      8b095bc1d1c22db78e1ee1011bd7d6564c3657c4bade729baf803b6df857f88be1fceac74b55b72786df635bbee7ad3ff8d17bbc28da553c1bb08ae275df543c

    • SSDEEP

      6144:WG0tEl7ERlzVxn5zLTjgpjdGXq7IOVf4c0Lu8nuyqvM30vakSNMmoYqTVXwIuODf:BCFzbF3g1kXqZf4czAVMmlq5pTlEv1G

    Score
    10/10
    formbookqsqmratspywarestealertrojanxloaderloader

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks