formbook | 491a2083c1bfd87c4b26dd687316b7fc50e2a35771e57e45769043d21bc8bca5 | Triage

Sharing

General

Target

491a2083c1bfd87c4b26dd687316b7fc50e2a35771e57e45769043d21bc8bca5
Size

892KB
Sample

241121-zg6z9ssjbj
MD5

20d507beaa8f361c5af382efbf87cf33
SHA1

5e5dbc5bb8f02d096b5b9ade61c1142d2097dab5
SHA256

491a2083c1bfd87c4b26dd687316b7fc50e2a35771e57e45769043d21bc8bca5
SHA512

0ffa180e5ebd3ad15d0069abc8e409a90ca295164bdeae9379e5e740f31893c7914355617d3f3cb8bab29602b6712de230ab80028770bb0faf10f4f210fa28be
SSDEEP

24576:m+ODiZ6H/v1UAQkyplydQ6ins8adpyWtQ7B7Ti:56nFQkjRq9C

Score

10^/10

formbook xloader f3bq discovery loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f3bq

Decoy

EycW4KsHurZ80uRoO5Ci7qqvYA==

qTeo+vvLiXtITF++qA==

aN69k0COUW1Xt8xTIGl1GX59NYoXPHZh

WHDM3u/Jyu6xx5lEtISl7qqvYA==

TOlj27idD7p4MYTE/Dg=

AC71rZJwmD0TY/VK

iysL+SA+7FMTY/VK

N9e+ns2plwr+0C83ztRc

6OQtlIdjkAvFqzE3ztRc

39k8+W7n0llTNYTE/Dg=

lq0Y/ktyn0MDx01CfsfvG7U9PPw=

3nxaPQRrFwnWKDC65zBq+Q==

R9OzJ70qqVH/f7b0URQN4fTL

9zWtmE24YYxslCdqsboN4fTL

oTchmfxOEi4wtQ0S7PvY0Xo=

HrCsl9K1sdiImmzWGO4ijiPpdw==

rFQw9LEwYAcIBNU3ztRc

Z50ArBOKdqETY/VK

T0mvicHsMFkHw0o=

Yw/oyfoe2flkp5Me82IED5nEG9gYYQ==

Extracted

Family

xloader

Version

2.9

Campaign

f3bq

Decoy

EycW4KsHurZ80uRoO5Ci7qqvYA==

qTeo+vvLiXtITF++qA==

aN69k0COUW1Xt8xTIGl1GX59NYoXPHZh

WHDM3u/Jyu6xx5lEtISl7qqvYA==

TOlj27idD7p4MYTE/Dg=

AC71rZJwmD0TY/VK

iysL+SA+7FMTY/VK

N9e+ns2plwr+0C83ztRc

6OQtlIdjkAvFqzE3ztRc

39k8+W7n0llTNYTE/Dg=

lq0Y/ktyn0MDx01CfsfvG7U9PPw=

3nxaPQRrFwnWKDC65zBq+Q==

R9OzJ70qqVH/f7b0URQN4fTL

9zWtmE24YYxslCdqsboN4fTL

oTchmfxOEi4wtQ0S7PvY0Xo=

HrCsl9K1sdiImmzWGO4ijiPpdw==

rFQw9LEwYAcIBNU3ztRc

Z50ArBOKdqETY/VK

T0mvicHsMFkHw0o=

Yw/oyfoe2flkp5Me82IED5nEG9gYYQ==

Targets

- Target
  
  nuevo orden.xlsx.exe
- Size
  
  741KB
- MD5
  
  b414629b844d0a8cf08cd22d175a82f6
- SHA1
  
  0d9f83e40a924ba16e9bde6f3d2b5dbc19056703
- SHA256
  
  6124faef534c43b40607b85ffc1798cb3064d7eb2239422d2b35826a6de5e3ee
- SHA512
  
  d4e6f4f21b5426dcbac8d53feb96155202d9f09ac51299c3b3d02b7d5163f6043e175e9f36ea08503de98aad21ff5ff1dcc0a68e8ab4cfad4a279795720f6c53
- SSDEEP
  
  12288:qG2AZMzJWsuhczRVQEIcA3Q9UJwUIscc1FOg9Y9jg0Fl6p+liq+c:qG21JnuizRV7lUJgog
Score

10^/10

formbook xloader f3bq discovery loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookxloaderf3bqdiscoveryloaderratspywarestealertrojan

behavioral2

formbookxloaderf3bqdiscoveryloaderratspywarestealertrojan