formbook | 12748aea84778652c1b2fef43117bdb42de3061f4a4376927ca27154cce42013

General

Target

DHL Express Duty Charge, AWB & BL.exe
Size

580KB
MD5

53f6cb13cf941ca18bc398d32f845579
SHA1

a09d0166e26b59e01d8f9314c98534adcb6de340
SHA256

12748aea84778652c1b2fef43117bdb42de3061f4a4376927ca27154cce42013
SHA512

c272cc3432ad0ed6946fb6c95a9e76842f605b66096bfc86203245176e460494ed670f718110468c9c71957dcd29d66006b7738e40e951cb06f9c762234c2494
SSDEEP

12288:isDRL2aOfokSwTh/TCu3SCfn1YD9wj0lmbPOFh7HuTO:DJOfo9+8VCfn89QPOB

Score

10^/10

formbook h8t0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

h8t0

Decoy

pX0T7fJ5SmBsroaYtF/qyNlKtSA=

S2NpcYsZ0sMKKsWw

InTDrCxX1GVhp7fzmK8=

mH5Ax6r2GyAh

GYKFkKD2GyAh

TyWptjZgzlzNV0Y2PtM85dlKtSA=

D/V0extZ3I/PVr6mCqGNazBB

xik8B2uLuILxdg==

oohXUF/7tHGxQs42SvIo+64=

7W/2B7CoqOEfY3WqCw==

SKW3c0DvmA991EE=

dx1jYxAG+T9YaOxctM5OqQ==

uBwqzYUt3KHNKEI1Oq/2tV4UUQ==

HkhDv2iluILxdg==

O8ca/3Z0p/xD0dc9jwgr2g6oorw/DA==

CdVTZwxFv2LSRyckeO1Uvg==

UaO+if0kiQ0HHe29lwaEIv+morw/DA==

wB5RfRm6wFunIVY=

UvpBQ+Ucf97/PRGJm4v8

s86lipNDSIu9D/IqkUIhHGUMTA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DHL Express Duty Charge, AWB & BL.exeDHL Express Duty Charge, AWB & BL.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	DHL Express Duty Charge, AWB & BL.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	DHL Express Duty Charge, AWB & BL.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DHL Express Duty Charge, AWB & BL.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	DHL Express Duty Charge, AWB & BL.exe

Loads dropped DLL 2 IoCs

Processes:

DHL Express Duty Charge, AWB & BL.execontrol.exe

pid process

852 DHL Express Duty Charge, AWB & BL.exe
1920 control.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

DHL Express Duty Charge, AWB & BL.exe

pid process

556 DHL Express Duty Charge, AWB & BL.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

DHL Express Duty Charge, AWB & BL.exeDHL Express Duty Charge, AWB & BL.exe

pid process

852 DHL Express Duty Charge, AWB & BL.exe
556 DHL Express Duty Charge, AWB & BL.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DHL Express Duty Charge, AWB & BL.exeDHL Express Duty Charge, AWB & BL.execontrol.exe

description	pid	process	target process
PID 852 set thread context of 556	852	DHL Express Duty Charge, AWB & BL.exe	DHL Express Duty Charge, AWB & BL.exe
PID 556 set thread context of 1212	556	DHL Express Duty Charge, AWB & BL.exe	Explorer.EXE
PID 1920 set thread context of 1212	1920	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

DHL Express Duty Charge, AWB & BL.execontrol.exe

pid	process
556	DHL Express Duty Charge, AWB & BL.exe
556	DHL Express Duty Charge, AWB & BL.exe
556	DHL Express Duty Charge, AWB & BL.exe
556	DHL Express Duty Charge, AWB & BL.exe
1920	control.exe
1920	control.exe
1920	control.exe
1920	control.exe
1920	control.exe
1920	control.exe
1920	control.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

DHL Express Duty Charge, AWB & BL.exeDHL Express Duty Charge, AWB & BL.execontrol.exe

pid	process
852	DHL Express Duty Charge, AWB & BL.exe
556	DHL Express Duty Charge, AWB & BL.exe
556	DHL Express Duty Charge, AWB & BL.exe
556	DHL Express Duty Charge, AWB & BL.exe
1920	control.exe
1920	control.exe
1920	control.exe
1920	control.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DHL Express Duty Charge, AWB & BL.execontrol.exe

description pid process

Token: SeDebugPrivilege 556 DHL Express Duty Charge, AWB & BL.exe
Token: SeDebugPrivilege 1920 control.exe

description	pid	process
Token: SeDebugPrivilege	556	DHL Express Duty Charge, AWB & BL.exe
Token: SeDebugPrivilege	1920	control.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

DHL Express Duty Charge, AWB & BL.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 852 wrote to memory of 556	852	DHL Express Duty Charge, AWB & BL.exe	DHL Express Duty Charge, AWB & BL.exe
PID 852 wrote to memory of 556	852	DHL Express Duty Charge, AWB & BL.exe	DHL Express Duty Charge, AWB & BL.exe
PID 852 wrote to memory of 556	852	DHL Express Duty Charge, AWB & BL.exe	DHL Express Duty Charge, AWB & BL.exe
PID 852 wrote to memory of 556	852	DHL Express Duty Charge, AWB & BL.exe	DHL Express Duty Charge, AWB & BL.exe
PID 852 wrote to memory of 556	852	DHL Express Duty Charge, AWB & BL.exe	DHL Express Duty Charge, AWB & BL.exe
PID 1212 wrote to memory of 1920	1212	Explorer.EXE	control.exe
PID 1212 wrote to memory of 1920	1212	Explorer.EXE	control.exe
PID 1212 wrote to memory of 1920	1212	Explorer.EXE	control.exe
PID 1212 wrote to memory of 1920	1212	Explorer.EXE	control.exe
PID 1920 wrote to memory of 572	1920	control.exe	Firefox.exe
PID 1920 wrote to memory of 572	1920	control.exe	Firefox.exe
PID 1920 wrote to memory of 572	1920	control.exe	Firefox.exe
PID 1920 wrote to memory of 572	1920	control.exe	Firefox.exe
PID 1920 wrote to memory of 572	1920	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\DHL Express Duty Charge, AWB & BL.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Express Duty Charge, AWB & BL.exe"
2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\DHL Express Duty Charge, AWB & BL.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Express Duty Charge, AWB & BL.exe"
3⤵
- Checks QEMU agent file
- Checks computer location settings
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd985.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
770KB

MD5
65f6090dfb069aca962a59f6df9e6113

SHA1
879bad504dfcce1a591c97817f3ff1e63931cfd2

SHA256
32a302d8c235226d8cdda4d957f151df3e5736fdce7886e6c794f0648b2eb106

SHA512
4c0e5e1103749356dceaaaa312e853bda83ec14f2f12288e9020cdf42b6e80d4caaec03d1ef7f34d81ddf2da88e6160c0c711380c2a7d89012e660406cdbb987

Download Submit
memory/556-80-0x0000000076FB0000-0x0000000077130000-memory.dmp

Filesize
1.5MB

Download
memory/556-62-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/556-75-0x000000001D440000-0x000000001D450000-memory.dmp

Filesize
64KB

Download
memory/556-61-0x00000000004030E2-mapping.dmp

Download
memory/556-81-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/556-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-64-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/556-65-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/556-66-0x0000000076DD0000-0x0000000076F79000-memory.dmp

Filesize
1.7MB

Download
memory/556-69-0x0000000076FB0000-0x0000000077130000-memory.dmp

Filesize
1.5MB

Download
memory/556-70-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/556-74-0x000000001D5D0000-0x000000001D8D3000-memory.dmp

Filesize
3.0MB

Download
memory/556-72-0x0000000000401000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/556-73-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/852-57-0x0000000002460000-0x00000000030AA000-memory.dmp

Filesize
12.3MB

Download
memory/852-63-0x0000000076FB0000-0x0000000077130000-memory.dmp

Filesize
1.5MB

Download
memory/852-58-0x0000000076DD0000-0x0000000076F79000-memory.dmp

Filesize
1.7MB

Download
memory/852-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/852-77-0x0000000076FB0000-0x0000000077130000-memory.dmp

Filesize
1.5MB

Download
memory/852-56-0x0000000002460000-0x00000000030AA000-memory.dmp

Filesize
12.3MB

Download
memory/1212-86-0x0000000004C00000-0x0000000004D3E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-76-0x0000000004B00000-0x0000000004BF3000-memory.dmp

Filesize
972KB

Download
memory/1212-89-0x0000000004C00000-0x0000000004D3E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-82-0x0000000000B30000-0x0000000000B4F000-memory.dmp

Filesize
124KB

Download
memory/1920-85-0x00000000009D0000-0x0000000000A5F000-memory.dmp

Filesize
572KB

Download
memory/1920-84-0x0000000001F50000-0x0000000002253000-memory.dmp

Filesize
3.0MB

Download
memory/1920-87-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1920-83-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1920-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads