Overview

overview

10

Static

static

DHL Tracer.exe

windows7_x64

10

DHL Tracer.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8f9430926059b310cac4b568f1ad316f8a9c44d6645d8e30661b5cbc8408254c

  • Size

    281KB

  • Sample

    220521-nrtl5seaf4

  • MD5

    232033c109838ada02bacda73f6de2fc

  • SHA1

    ee0b5346aa4d18ab1e7d84efeb1a65cf720a2095

  • SHA256

    8f9430926059b310cac4b568f1ad316f8a9c44d6645d8e30661b5cbc8408254c

  • SHA512

    68f52c2115daaf879fa712141a54566d02a9223ab4f2b1f349002daff6b3f0374d1b0d8549c56a04457ee118271628daebedf65d0930abb0f8412e09ff231226

Score
10/10
formbookk859persistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k859

Decoy

tealpineapples.com

boatybracelets.com

srurslzmd.download

oregonclimatesmart.com

holistics.net

allsystemsforupgradesnew.review

005554008.com

inteligenciamental.com

valedamente.com

novinsaraf.com

schnyderfor.com

newideait.com

horny-for-art.com

susanmurphree.com

lineage2impact.com

khaoskoordinator.com

baolanhuc.men

equifaxlaw.com

aaronsalvato.com

radioxxesertanejo.com

Targets

    • Target

      DHL Tracer.exe

    • Size

      371KB

    • MD5

      22065e9ed2fc96ed8f9ee1fd4ebe5ba5

    • SHA1

      c981814d1ce5fb9bba996f9f3d7853cce6f59cdb

    • SHA256

      931de7a667086f50575388e97d16c318682f63c8ba9d044aa006abc6e26f2862

    • SHA512

      9f05eecfcb2ee087ff2c74190ad7145b8c3a2fea0901a872964f184a8af876b4347172be311117e30db295af1888826d765bd66d807ebee8eac6416e9e770cfb

    Score
    10/10
    formbookk859persistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks