formbook

General

Target

530510ea2c39f0e2984eb108dd91b31fa861718d9d875aaf353f6574aa433647
Size

374KB
Sample

241121-y8kqns1pgj
MD5

17d0c744f89393ac5911f70e9144a63c
SHA1

297a571a32bedd89ef3071457697b29b434fde9c
SHA256

530510ea2c39f0e2984eb108dd91b31fa861718d9d875aaf353f6574aa433647
SHA512

bc5fc43b51f554d26acc40043ea10d21f57b03f4d76435be93b43b8b5b084fe1cf018c5b2f9c5e5ef5e90936413d833b696108fd69324aabf897c3b49f931771
SSDEEP

6144:TZoyY9VwHhoJachMTKyOg4lrUupHy7456Kh6+/LPf81CD5tzKyer6IBMX:909OBoEcMKyOxIupgg6QDkg7LyXY

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

ah5g

Decoy

wReSyw0+RXB9dOy3kw==

Mje7ZN4AqSDHqWC1

5l8DIF3lJCgYq1grAXaPXqfyVHnB

2yzJ2v0xCurT2fvWrRcjCzblO9c=

GA0puQ1MMi53/hai

HcK10MEkj/my0vq6

/eYRSqPBgN5mIFYdwhhNPx4qKcA=

QrJjn3pVSWJS6475YqG+m+dcqQpGhro=

/PIhV6hz2lTnpEqs

IfnU8x2W9a3nm8s=

oyfXKKI/e2Z1pbd5V/qLNnOhqQ==

CAUhKPVikYla3ZNZPMVP3EUxEzuktfKD8A==

7CHCZd4BqyDHqWC1

3zzpmQsz8GTjBrKZIldeuv0=

gv+8bdOi/XLc9Jgmzak1

DHUSvjFMIJpgmNCkn4lab6dr

YLszW53Yz3/NTUVOuww=

PNN6m5J7Uoodo1bFQrPcNnOhqQ==

E5pVg8MGG+NEbQNOH+WLNnOhqQ==

GO/g98tDkI6CdOy3kw==

Targets

- Target
  
  8df5da115c8287798fe9d01446bcad9e56020c15328257b305503f77ce1b8dd9
- Size
  
  458KB
- MD5
  
  b9d18f0b735dea8d38a0b7cc9db54546
- SHA1
  
  46b618a3134e02b343536c3c35fb44c64d1150c4
- SHA256
  
  8df5da115c8287798fe9d01446bcad9e56020c15328257b305503f77ce1b8dd9
- SHA512
  
  ac92fbe7548d7eb60bc2232497ce08fbea5eed4d5a6ac488ff8a89d7d80b51392dec8012d935b81536bf31d36a521302405a85a34c3c908111f67ce4839a832e
- SSDEEP
  
  6144:ZxlZd712A3TemiYjAKD+DrL/f01XcnNRHolwNADBuHzo1N8L:Hl7oE7iCAc+/L/cZPlgSBuTo1
Score

10^/10

formbook xloader ah5g discovery loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook family

Xloader

Xloader family

Xloader payload

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2