Overview

overview

10

Static

static

1

DHL Expres...BL.exe

windows7-x64

10

DHL Expres...BL.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DHL Express Duty Charge, AWB & BL.exe

  • Size

    580KB

  • Sample

    221123-m34e2sah4y

  • MD5

    53f6cb13cf941ca18bc398d32f845579

  • SHA1

    a09d0166e26b59e01d8f9314c98534adcb6de340

  • SHA256

    12748aea84778652c1b2fef43117bdb42de3061f4a4376927ca27154cce42013

  • SHA512

    c272cc3432ad0ed6946fb6c95a9e76842f605b66096bfc86203245176e460494ed670f718110468c9c71957dcd29d66006b7738e40e951cb06f9c762234c2494

  • SSDEEP

    12288:isDRL2aOfokSwTh/TCu3SCfn1YD9wj0lmbPOFh7HuTO:DJOfo9+8VCfn89QPOB

Score
10/10
formbookh8t0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

h8t0

Decoy

pX0T7fJ5SmBsroaYtF/qyNlKtSA=

S2NpcYsZ0sMKKsWw

InTDrCxX1GVhp7fzmK8=

mH5Ax6r2GyAh

GYKFkKD2GyAh

TyWptjZgzlzNV0Y2PtM85dlKtSA=

D/V0extZ3I/PVr6mCqGNazBB

xik8B2uLuILxdg==

oohXUF/7tHGxQs42SvIo+64=

7W/2B7CoqOEfY3WqCw==

SKW3c0DvmA991EE=

dx1jYxAG+T9YaOxctM5OqQ==

uBwqzYUt3KHNKEI1Oq/2tV4UUQ==

HkhDv2iluILxdg==

O8ca/3Z0p/xD0dc9jwgr2g6oorw/DA==

CdVTZwxFv2LSRyckeO1Uvg==

UaO+if0kiQ0HHe29lwaEIv+morw/DA==

wB5RfRm6wFunIVY=

UvpBQ+Ucf97/PRGJm4v8

s86lipNDSIu9D/IqkUIhHGUMTA==

Targets

    • Target

      DHL Express Duty Charge, AWB & BL.exe

    • Size

      580KB

    • MD5

      53f6cb13cf941ca18bc398d32f845579

    • SHA1

      a09d0166e26b59e01d8f9314c98534adcb6de340

    • SHA256

      12748aea84778652c1b2fef43117bdb42de3061f4a4376927ca27154cce42013

    • SHA512

      c272cc3432ad0ed6946fb6c95a9e76842f605b66096bfc86203245176e460494ed670f718110468c9c71957dcd29d66006b7738e40e951cb06f9c762234c2494

    • SSDEEP

      12288:isDRL2aOfokSwTh/TCu3SCfn1YD9wj0lmbPOFh7HuTO:DJOfo9+8VCfn89QPOB

    Score
    10/10
    formbookh8t0ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks