General

  • Target

    DHL Shipment_pdf.exe

  • Size

    253KB

  • Sample

    221128-jfabxafc46

  • MD5

    6c47810c50e5d51c52010f6497b192cc

  • SHA1

    46c1da4c046006d84a306b824e2f9f65a034e389

  • SHA256

    75487358663f47e70846be7ae195c335bb35cbe469c93503f537e75855082f01

  • SHA512

    ab56561a813a1730a63c3d474178d7a0d57394979eb8d5babd98742a3556f4805b88e13c505dbf5169740cc0a3dbffb994b58284d9343f64d835042299e8bbcf

  • SSDEEP

    6144:xBnQPEBXJ9LLlsp1mjwi2OsedFcBzX1GuW5uC1O:8P4Zc1Ow5eTcBbAn5u3

Malware Config

Extracted

Family

formbook

Campaign

olus

Decoy

lFwthdzYgacRjF3H

V0HcUpvjRfyxLCVc/Qu1

fVMwe8B1QkymDetjpI9uzecX

QgKu/wmjhaT79V7jTK/HjhUCywqs3TQ=

21I9i5OSAoodam1rOQ==

QCVAvA3e02NvjlzP

khZ3sq8WGuiMAg==

K+U9rwDkZhi7

Uii7NZQ3FCKY+7Agf4JuzecX

nWYwbrNxWOGgJCNc/Qu1

yxFqsrsU9YyQnUJ4pMtHWw==

H+pDjL3qLrqbfeQYPlmASHc2eg==

OKO55xmvnyzvSF1uS5I=

VT4daWvLpsxvjlzP

SaUHe81zYnTzcTZc/Qu1

Df2M0dtCH1sGvxA5Jw==

NAsWerPSMayThrruHxHdjjUqeA==

+Nxhp7kZ4v7L+nvFkI0=

KhEcfId5vUQQezJiSbvWaZrdJmg=

9aEE7WN4555vjlzP

Targets

    • Target

      DHL Shipment_pdf.exe

    • Size

      253KB

    • MD5

      6c47810c50e5d51c52010f6497b192cc

    • SHA1

      46c1da4c046006d84a306b824e2f9f65a034e389

    • SHA256

      75487358663f47e70846be7ae195c335bb35cbe469c93503f537e75855082f01

    • SHA512

      ab56561a813a1730a63c3d474178d7a0d57394979eb8d5babd98742a3556f4805b88e13c505dbf5169740cc0a3dbffb994b58284d9343f64d835042299e8bbcf

    • SSDEEP

      6144:xBnQPEBXJ9LLlsp1mjwi2OsedFcBzX1GuW5uC1O:8P4Zc1Ow5eTcBbAn5u3

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks