formbook

General

Target

91a9121e603a99e319a085831a57e15e1d1566eb32f422c4c47ae01ae0144f5e
Size

519KB
Sample

241121-zj5j8asjgp
MD5

df030eca3526491b85b4486316d7c073
SHA1

dcb9cdbadf3cd42b7243762bbbc9b3f9c1ae689a
SHA256

91a9121e603a99e319a085831a57e15e1d1566eb32f422c4c47ae01ae0144f5e
SHA512

36e25d030b96a3a7d1c7cabb9a8e6ff8b40361becbaa24531368c2f49661d38568913f093e6c837778ffd65222b4cc165482baf97074e8b857bb7e45e7e0e6c7
SSDEEP

12288:ScGbZlfd0taD+hrDY8qT2s+H9y5XwpYFJ+PxAhJOwj8W:S1aUD+hrDY8hsa90APPcJd8W

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

fofg

Decoy

FHyydxpFBs0S8b4ZlP7ZEtd/

EVaCEKb/cVV9xQ==

U9I5lke0IuU7vj5EXus=

rXD3AKPV3qUblOUsV41KMfU=

PwBSy5z56XNzIvnS3ygsKv0=

CQe1BLbSnGXX

HuhKjxhLhxqBy2FFz8WoFA==

QJymezEoLOFZ1T5EXus=

V8r5PAdwuGK2AUARohas

b1XV06ANH9s5uj5EXus=

3EiEhwo7Euw2tl8=

c2PjK8Izkydy5N8x

CXCkYf0m/qPrv8QajKyT6Oo=

pHjy+Mk0CqvWBXdCz8WoFA==

QjSwr3/j5rAyvz5EXus=

+edxANg/sU+k8YFQz8WoFA==

tWiQq3rqyl6cTAG9pA==

GeAyMQxBUOlDwD5EXus=

nQ5eoT2mEKkhDN2DwBek

JP5dIbHlrXXR8umDwBek

Extracted

Family

xloader

Version

2.9

Campaign

fofg

Decoy

FHyydxpFBs0S8b4ZlP7ZEtd/

EVaCEKb/cVV9xQ==

U9I5lke0IuU7vj5EXus=

rXD3AKPV3qUblOUsV41KMfU=

PwBSy5z56XNzIvnS3ygsKv0=

CQe1BLbSnGXX

HuhKjxhLhxqBy2FFz8WoFA==

QJymezEoLOFZ1T5EXus=

V8r5PAdwuGK2AUARohas

b1XV06ANH9s5uj5EXus=

3EiEhwo7Euw2tl8=

c2PjK8Izkydy5N8x

CXCkYf0m/qPrv8QajKyT6Oo=

pHjy+Mk0CqvWBXdCz8WoFA==

QjSwr3/j5rAyvz5EXus=

+edxANg/sU+k8YFQz8WoFA==

tWiQq3rqyl6cTAG9pA==

GeAyMQxBUOlDwD5EXus=

nQ5eoT2mEKkhDN2DwBek

JP5dIbHlrXXR8umDwBek

Targets

- Target
  
  List of gchain fall hoist needed for quotes pdf.exe
- Size
  
  930KB
- MD5
  
  53f4e52a78bdf6541e3efdaf401ebbd3
- SHA1
  
  9c4841f6dc393e0a197aba01e9cb8491999a6150
- SHA256
  
  0a92b6b6c9ccba573ca47718bf608715dbc87ad48afc19bf7004d8eb9bf598d0
- SHA512
  
  f14c3b7c53df876eae2d1ea6e03d88d419e91ee9926334993d585f470c4a13eaa1326544de95a0ce06d3b2590461b3ef52c988c8d1bde7e56ca6b49081305300
- SSDEEP
  
  12288:GMY3QedajfctobEgT4FtM/e2Rw4nZu4LvJ0BPykKu2sN9nuI:GMwdwOobfT4Foe2pLBuhN9n
Score

10^/10

formbook xloader fofg discovery loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Formbook family

Xloader

Xloader family

Xloader payload

Checks computer location settings

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2