General

  • Target

    Doc23.xlsx

  • Size

    814KB

  • Sample

    230324-kmka5afd3v

  • MD5

    0b21432118ee771920b7ea1ab0291a6b

  • SHA1

    ab7fbfe7ac70726729f2ee75468833f5a3eaff5a

  • SHA256

    c8381037a439cb72f8927b7f13c5007d8ac1e7964d9f7c98540227e5aae68805

  • SHA512

    561bd13d36861b835d159cb7adf0ae5d6e1826fdc7d1d476e548b98028a43621ebfa96025f7170499a4afc44d0c6641bb7b1900b762ffb74d5d320582ee29072

  • SSDEEP

    24576:pIBPVq4EkeVLJvDgIOxTWSv7Z0XVLFKd6+88qkmKt:p44X5eTL6Fh+88qkmKt

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Targets

    • Target

      Doc23.xlsx

    • Size

      814KB

    • MD5

      0b21432118ee771920b7ea1ab0291a6b

    • SHA1

      ab7fbfe7ac70726729f2ee75468833f5a3eaff5a

    • SHA256

      c8381037a439cb72f8927b7f13c5007d8ac1e7964d9f7c98540227e5aae68805

    • SHA512

      561bd13d36861b835d159cb7adf0ae5d6e1826fdc7d1d476e548b98028a43621ebfa96025f7170499a4afc44d0c6641bb7b1900b762ffb74d5d320582ee29072

    • SSDEEP

      24576:pIBPVq4EkeVLJvDgIOxTWSv7Z0XVLFKd6+88qkmKt:p44X5eTL6Fh+88qkmKt

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Tasks