Overview

overview

10

Static

static

1

DHL AWB TR...LS.exe

windows7_x64

10

DHL AWB TR...LS.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 08:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL AWB TRACKING DETAILS.exe

  • Size

    248KB

  • MD5

    4e358b432ba956c13627beee054d68e5

  • SHA1

    8791318da047e93f2a16cc6535eba5159228f832

  • SHA256

    836696cddebff5d522acb2c105a404ceeb635df69b3c9544b5bebcef13bc3e86

  • SHA512

    a251f2f3e4fe9b0b44b3537983b406e9eb2d5e22298129ba9548f626c3657410adf23b50d0dd69f4601d7c873056e545ca7be0d808f8f0db3f9a38609b82dcff

Score
10/10
formbooka34bratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a34b

Decoy

mesonarte.com

eksiwakun9.xyz

dustcollectionconsultant.com

heliosarchitecture.com

chinaanalysisgroup.com

nimbinhillshemp.com

ychain.biz

mountshastaart.com

monstermangoloco.com

bodhiandbear.com

rootednft.xyz

metayema.com

zw21.xyz

criccketworld.com

segurobarato.net

ananyacap.com

momo-momo.xyz

ezrealestatedeals.com

ghrde.xyz

idimol.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:900
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:540
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"
          3⤵
          • Deletes itself
          PID:1376

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nstEF8F.tmp\vzhghptrhu.dll
      MD5

      d2b96d84df88876d02820ca05c8254e2

      SHA1

      66c575874197ace26e2d77c408154891c1c2a464

      SHA256

      ac4f4fc273432d090b87cc740b2668bb105aea12d35b9f48be82885607172708

      SHA512

      123b2255f5598bc7d51872cb2e0cba58367b22ad638df786aaefa4cfddda11a0daec36002559cd9a2bdcd74cc78f903642595e0438fdd82681a938b9cb1b97f1

      Download Submit
    • memory/900-62-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/900-57-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/900-59-0x00000000008E0000-0x0000000000BE3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/900-60-0x0000000000340000-0x0000000000354000-memory.dmp
      Filesize

      80KB

      Download
    • memory/900-63-0x0000000000390000-0x00000000003A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/948-55-0x0000000076B81000-0x0000000076B83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1400-61-0x0000000004D30000-0x0000000004E68000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1400-64-0x00000000049E0000-0x0000000004B03000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1400-69-0x0000000006820000-0x000000000690D000-memory.dmp
      Filesize

      948KB

      Download
    • memory/1592-65-0x0000000000BD0000-0x0000000000BEB000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1592-66-0x0000000000080000-0x00000000000AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1592-67-0x00000000022C0000-0x00000000025C3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1592-68-0x00000000003D0000-0x0000000000463000-memory.dmp
      Filesize

      588KB

      Download