formbook

General

Target

3ee7a91560ab8b79b646bb8eeda565d50263e9218aebb65a3dda72121554f007
Size

606KB
Sample

241121-y58nbs1ngn
MD5

97e9aeacbfce35cdafd1e74387436e51
SHA1

ac2bd11fb1deb7671eee44e3cc0ce19f66e70353
SHA256

3ee7a91560ab8b79b646bb8eeda565d50263e9218aebb65a3dda72121554f007
SHA512

853c521b6570efeb4c6ef6dbd941ef407a72f5882bd3779edf8dda2b8ae6a31d641fb307b2c04099022e7a374adc23ac4e4ce67185d26275c788fe70de6fd7fe
SSDEEP

12288:1WY1ncIy6o72TiKfvJvZ3JlCN2a33Y5jkAn/SAuA31jYyunCjyGzpVe:1WAry6/WKflZ5DMY5jkAn//3mzayYpVe

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

6hsc

Decoy

6cvqXARAGlgdnnbXYQ==

Mi4yZ8FULou6w26U2FDnEbA=

Xmx0bJmRZGL+O0RFfLFNN9AMdwn+

B0WNhyl4T2gWBIqE1VDnEbA=

DI2G9/sG/v6YIh42aQ==

0NTaAl90ZWYiGV/bT4U=

DWCuXrL23Cc3xdIG/0dT

fTbzys/dddqOVQ==

8ClrDFi3i+asgxBOnguhlQ==

YjOkWLSpXeqrXw==

gAIov8vbtv8vr8/tFSXvDULL7thokKA=

xMW2qsXay7xNkonR/zxPo939

xc38fRlgO2opnnbXYQ==

+o31vQlURJKmLUWfHlMq0Gjs

z6GwWxCSKJLJ

2pnQ5evpehAxUt4hd6pq9X71

2CmXDSU2DTmDR+Q=

WV9ScxFQID1V2glQnguhlQ==

L8UDlK65h9wJ7Zeb3VDnEbA=

Agb4LF2bRcDX

Targets

- Target
  
  SOR-0188-2022-E - Sea Orpheus.exe
- Size
  
  715KB
- MD5
  
  1963afa9192dbc64dcf0f05a09ca4a84
- SHA1
  
  07e68172cf7485b8921739037b3045742d6e87a5
- SHA256
  
  9a3a97e6801259fb5c604f364434f5c96c519dc979be88f69488a87e3b1fbd2d
- SHA512
  
  fa5a8e76864e081a7b29b7182ee1bc9a5a78f5904e3592a6c6e6027af32713e2bed4e832354e48b367e52a021c2a74823937883afa210c8cc82e2f67b0f369c7
- SSDEEP
  
  12288:tVF75e1ZuqRhf5O5zOJf2t51Yy8rZGGWvC0DsD88WV+kOGq+b6e6/U:tVZ52ZB7xOFEDy8r0Ru8LjBf
Score

10^/10

formbook xloader 6hsc discovery loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook family

Xloader

Xloader family

Xloader payload

Checks computer location settings

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2