formbook

General

Target

df6hzlfpfbcxv4f.exe
Size

177KB
Sample

231119-kcvdcahc77
MD5

550076952d4e9961ecf381824c38e022
SHA1

ce65a915752d64e601e158690b198aee5a22a31e
SHA256

15d56d28ea0f515ada674dfbbf4391390e9c1248c7a8c895d932b4220e6c2a81
SHA512

70e42430b94148be0d03d83b82b77177c1288c893b241541bc51a8a87f4f72f9b1e1e14c2508cb44c30a33a17318077454d439143261e3949ead2df2505632d5
SSDEEP

3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

6hsc

Decoy

6cvqXARAGlgdnnbXYQ==

Mi4yZ8FULou6w26U2FDnEbA=

Xmx0bJmRZGL+O0RFfLFNN9AMdwn+

B0WNhyl4T2gWBIqE1VDnEbA=

DI2G9/sG/v6YIh42aQ==

0NTaAl90ZWYiGV/bT4U=

DWCuXrL23Cc3xdIG/0dT

fTbzys/dddqOVQ==

8ClrDFi3i+asgxBOnguhlQ==

YjOkWLSpXeqrXw==

gAIov8vbtv8vr8/tFSXvDULL7thokKA=

xMW2qsXay7xNkonR/zxPo939

xc38fRlgO2opnnbXYQ==

+o31vQlURJKmLUWfHlMq0Gjs

z6GwWxCSKJLJ

2pnQ5evpehAxUt4hd6pq9X71

2CmXDSU2DTmDR+Q=

WV9ScxFQID1V2glQnguhlQ==

L8UDlK65h9wJ7Zeb3VDnEbA=

Agb4LF2bRcDX

Targets

- Target
  
  df6hzlfpfbcxv4f.exe
- Size
  
  177KB
- MD5
  
  550076952d4e9961ecf381824c38e022
- SHA1
  
  ce65a915752d64e601e158690b198aee5a22a31e
- SHA256
  
  15d56d28ea0f515ada674dfbbf4391390e9c1248c7a8c895d932b4220e6c2a81
- SHA512
  
  70e42430b94148be0d03d83b82b77177c1288c893b241541bc51a8a87f4f72f9b1e1e14c2508cb44c30a33a17318077454d439143261e3949ead2df2505632d5
- SSDEEP
  
  3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j
Score

10^/10

formbook xloader 6hsc loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

Xloader payload

Checks computer location settings

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2