Overview

overview

10

Static

static

1

DHL Expres...BL.exe

windows7-x64

10

DHL Expres...BL.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Express Duty Charge, AWB & BL.exe

  • Size

    580KB

  • MD5

    53f6cb13cf941ca18bc398d32f845579

  • SHA1

    a09d0166e26b59e01d8f9314c98534adcb6de340

  • SHA256

    12748aea84778652c1b2fef43117bdb42de3061f4a4376927ca27154cce42013

  • SHA512

    c272cc3432ad0ed6946fb6c95a9e76842f605b66096bfc86203245176e460494ed670f718110468c9c71957dcd29d66006b7738e40e951cb06f9c762234c2494

  • SSDEEP

    12288:isDRL2aOfokSwTh/TCu3SCfn1YD9wj0lmbPOFh7HuTO:DJOfo9+8VCfn89QPOB

Score
10/10
formbookh8t0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

h8t0

Decoy

pX0T7fJ5SmBsroaYtF/qyNlKtSA=

S2NpcYsZ0sMKKsWw

InTDrCxX1GVhp7fzmK8=

mH5Ax6r2GyAh

GYKFkKD2GyAh

TyWptjZgzlzNV0Y2PtM85dlKtSA=

D/V0extZ3I/PVr6mCqGNazBB

xik8B2uLuILxdg==

oohXUF/7tHGxQs42SvIo+64=

7W/2B7CoqOEfY3WqCw==

SKW3c0DvmA991EE=

dx1jYxAG+T9YaOxctM5OqQ==

uBwqzYUt3KHNKEI1Oq/2tV4UUQ==

HkhDv2iluILxdg==

O8ca/3Z0p/xD0dc9jwgr2g6oorw/DA==

CdVTZwxFv2LSRyckeO1Uvg==

UaO+if0kiQ0HHe29lwaEIv+morw/DA==

wB5RfRm6wFunIVY=

UvpBQ+Ucf97/PRGJm4v8

s86lipNDSIu9D/IqkUIhHGUMTA==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 1 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1348
    • C:\Users\Admin\AppData\Local\Temp\DHL Express Duty Charge, AWB & BL.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Express Duty Charge, AWB & BL.exe"
      2⤵
      • Checks QEMU agent file
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Admin\AppData\Local\Temp\DHL Express Duty Charge, AWB & BL.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL Express Duty Charge, AWB & BL.exe"
        3⤵
        • Checks QEMU agent file
        • Checks computer location settings
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:756
        • C:\Windows\SysWOW64\cmstp.exe
          "C:\Windows\SysWOW64\cmstp.exe"
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:564
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            5⤵
              PID:1868

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsd1039.tmp\System.dll
      Filesize

      11KB

      MD5

      6f5257c0b8c0ef4d440f4f4fce85fb1b

      SHA1

      b6ac111dfb0d1fc75ad09c56bde7830232395785

      SHA256

      b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

      SHA512

      a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

      Download Submit

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      807KB

      MD5

      16a1612789dc9063ebea1cb55433b45b

      SHA1

      438fde2939bbb9b5b437f64f21c316c17ce4a7f6

      SHA256

      6deaec2f96c8a1c20698a93ddd468d5447b55ac426dc381eef5d91b19953bb7b

      SHA512

      d727ce8cd793c09a8688accb7a2eb5d8f84cc198b8e9d51c21e2dfb11d850f3ac64a58d07ff7fe9d1a2fdb613567e4790866c08a423176216ff310bf24a5a7e3

      Download Submit

    • memory/564-83-0x0000000000000000-mapping.dmp

      Download

    • memory/564-94-0x0000000000090000-0x00000000000BD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/564-92-0x0000000000970000-0x00000000009FF000-memory.dmp

      Filesize

      572KB

      Download

    • memory/564-91-0x0000000000B00000-0x0000000000E03000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/564-90-0x0000000000090000-0x00000000000BD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/564-89-0x0000000000EC0000-0x0000000000ED8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/756-86-0x000000001CF30000-0x000000001CFF1000-memory.dmp

      Filesize

      772KB

      Download

    • memory/756-81-0x0000000000070000-0x0000000000080000-memory.dmp

      Filesize

      64KB

      Download

    • memory/756-62-0x00000000004030E2-mapping.dmp

      Download

    • memory/756-67-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/756-68-0x0000000076EF0000-0x0000000077099000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/756-71-0x00000000770D0000-0x0000000077250000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/756-72-0x0000000000400000-0x0000000001462000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/756-73-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/756-74-0x0000000000401000-0x0000000001462000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/756-75-0x0000000000400000-0x0000000001462000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/756-76-0x000000001D5E0000-0x000000001D8E3000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/756-63-0x0000000000400000-0x0000000001462000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/756-78-0x000000001CF30000-0x000000001D0F4000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/756-88-0x0000000000400000-0x0000000001462000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/756-80-0x0000000000401000-0x0000000001462000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/756-87-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/756-85-0x00000000770D0000-0x0000000077250000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/756-65-0x00000000001C0000-0x00000000002C0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1348-82-0x0000000006ED0000-0x0000000007035000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1348-77-0x0000000006B70000-0x0000000006C9D000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1348-93-0x0000000007460000-0x000000000758B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1348-96-0x0000000007460000-0x000000000758B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1724-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1724-64-0x00000000770D0000-0x0000000077250000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1724-79-0x00000000770D0000-0x0000000077250000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1724-66-0x00000000770D0000-0x0000000077250000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1724-60-0x00000000770D0000-0x0000000077250000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1724-58-0x0000000076EF0000-0x0000000077099000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1724-57-0x0000000002490000-0x00000000030DA000-memory.dmp

      Filesize

      12.3MB

      Download

    • memory/1724-56-0x0000000002490000-0x00000000030DA000-memory.dmp

      Filesize

      12.3MB

      Download