Overview

overview

10

Static

static

DHL Invoic...df.exe

windows7-x64

10

DHL Invoic...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2022, 09:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Invoice Details_pdf.exe

  • Size

    828KB

  • MD5

    384579444926fb62ca870190509ec096

  • SHA1

    818529123f2462098799b6c4dc4aeadda6c170ef

  • SHA256

    1e9b2dab23e487f9f8442ab474b4ec7b56d5bbeca861d37c936a6bbbe2e84bdb

  • SHA512

    ac05a72fc5d0d1254e67c99ccac8673b823aaa98051f69d4b4f84f42eae00ba4acece648fd232e1e80958af3f1dd200358a02c33384d53271d9b1d76ae28a43a

  • SSDEEP

    12288:NwjAs0BRyNr08FI6LouQMQaMjoHmS8A/K17TQoLi8ILTcs/:NwjAs0BROk1kmS897koLi8IH

Score
10/10
formbookd10aratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d10a

Decoy

tprgamesslot.com

1wautomarketing.shop

jnfc.bar

reelestate.info

coolvenead.buzz

am2pmconstruction.com

casasbh-digital.com

kmzu.info

magabestonline.com

evdirect.net

utaxi.app

gamemakr.tech

klsxofficial.com

qfaw.mom

bwchosting.com

joseli.xyz

carnelianintimates.com

manarnews.site

axacpe.click

pinupmeals.click

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Users\Admin\AppData\Local\Temp\DHL Invoice Details_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Invoice Details_pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Users\Admin\AppData\Local\Temp\DHL Invoice Details_pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL Invoice Details_pdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3580
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\DHL Invoice Details_pdf.exe"
        3⤵
          PID:1496

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2560-153-0x00000000030C0000-0x00000000031B7000-memory.dmp

            Filesize

            988KB

            Download

          • memory/2560-151-0x00000000030C0000-0x00000000031B7000-memory.dmp

            Filesize

            988KB

            Download

          • memory/2560-144-0x00000000080E0000-0x0000000008242000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3216-132-0x00000000009D0000-0x0000000000AA6000-memory.dmp

            Filesize

            856KB

            Download

          • memory/3216-133-0x0000000005940000-0x0000000005EE4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3216-134-0x0000000005430000-0x00000000054C2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/3216-135-0x00000000055E0000-0x00000000055EA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3216-136-0x000000000CEA0000-0x000000000CF3C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/3216-137-0x000000000CF40000-0x000000000CFA6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3580-143-0x0000000001550000-0x0000000001565000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3580-142-0x0000000001C20000-0x0000000001F6A000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3580-141-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/3580-139-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/4908-146-0x0000000000630000-0x0000000000642000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4908-147-0x0000000000C30000-0x0000000000C5F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/4908-148-0x0000000002BC0000-0x0000000002F0A000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4908-150-0x0000000002A40000-0x0000000002AD4000-memory.dmp

            Filesize

            592KB

            Download

          • memory/4908-152-0x0000000000C30000-0x0000000000C5F000-memory.dmp

            Filesize

            188KB

            Download