Overview

overview

10

Static

static

DHL Shippm...df.exe

windows7-x64

10

DHL Shippm...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2022, 07:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Shippment Notification_Pdf.exe

  • Size

    1.1MB

  • MD5

    b619f997ab8438ff21c618fb65ebb8f4

  • SHA1

    f9487f12db87f8ff926f8f2bb08086a660c24844

  • SHA256

    369d9c19a6f8e9b3fc88bb922fd7253a50b5fc90b1691972bf89748e19a0ff81

  • SHA512

    1c2ebb6bbd39175816acd4a6a16aba0cc9e50d3a147cff4c8874a33590030ce38af92943e970a74c4a2afa0cee211570f140b009d7eba5cfb63d6e5adc585e94

  • SSDEEP

    24576:7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNussypBxiPnw:ZiPn9rs0Fdj

Score
10/10
formbookd10aratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d10a

Decoy

tprgamesslot.com

1wautomarketing.shop

jnfc.bar

reelestate.info

coolvenead.buzz

am2pmconstruction.com

casasbh-digital.com

kmzu.info

magabestonline.com

evdirect.net

utaxi.app

gamemakr.tech

klsxofficial.com

qfaw.mom

bwchosting.com

joseli.xyz

carnelianintimates.com

manarnews.site

axacpe.click

pinupmeals.click

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Users\Admin\AppData\Local\Temp\DHL Shippment Notification_Pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Shippment Notification_Pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Users\Admin\AppData\Local\Temp\DHL Shippment Notification_Pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL Shippment Notification_Pdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4148
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\DHL Shippment Notification_Pdf.exe"
        3⤵
          PID:4448

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2948-151-0x0000000008610000-0x0000000008760000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2948-162-0x0000000002960000-0x0000000002970000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-161-0x0000000002A90000-0x0000000002AA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-160-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-159-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-158-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-157-0x0000000002810000-0x0000000002820000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-156-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-155-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-154-0x0000000002A90000-0x0000000002AA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-144-0x0000000007CE0000-0x0000000007E1A000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2948-153-0x0000000008610000-0x0000000008760000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4148-143-0x0000000001460000-0x0000000001475000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4148-139-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4148-141-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4148-142-0x00000000018F0000-0x0000000001C3A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4160-150-0x0000000002540000-0x00000000025D4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4160-152-0x0000000000670000-0x000000000069F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4160-146-0x00000000002C0000-0x00000000003FA000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4160-149-0x00000000026B0000-0x00000000029FA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4160-147-0x0000000000670000-0x000000000069F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4940-132-0x00000000000B0000-0x00000000001CC000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4940-137-0x000000000B5D0000-0x000000000B636000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4940-136-0x000000000B530000-0x000000000B5CC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4940-135-0x0000000004A20000-0x0000000004A2A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4940-134-0x0000000004A80000-0x0000000004B12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4940-133-0x0000000005030000-0x00000000055D4000-memory.dmp

      Filesize

      5.6MB

      Download