Overview

overview

10

Static

static

DHL Consgn...df.exe

windows7-x64

10

DHL Consgn...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    192s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Consgnment Notification_pdf.exe

  • Size

    814KB

  • MD5

    eccc5475dd661be20724e6b8a131f664

  • SHA1

    adbd86d7ccdab284d0080f0a08e3d426a8df21b8

  • SHA256

    5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a

  • SHA512

    f61dfbb25c44e9bcc5334b95c1c54c2275876ee50610995dfda2fc6090b9b05e5da66831d288b53e313b6c1aec4b0e24d001792425965914eb03f6d6bdfd19c6

  • SSDEEP

    12288:vFyMNTl159j9G9+a3DY366UqXbAyBWWapIg95lvTHRyoY:3b1XZGAaT56VrAyepIgvpjRpY

Score
10/10
formbookg28pratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g28p

Decoy

whhmgs.asia

wellmedcaredirect.net

beggarded.com

wtpjiv.site

todo-celulares.com

parkitny.net

43345.top

pro-genie.com

cwdxz.com

cbc-inc.xyz

healthspots.net

rulil.top

pyramidaudit.solutions

k8sb15.live

hempaware.report

usclink.life

stayefs.net

05262.top

shop-izakaya-jin.com

iccworldcupnews.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Local\Temp\DHL Consgnment Notification_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Consgnment Notification_pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Users\Admin\AppData\Local\Temp\DHL Consgnment Notification_pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL Consgnment Notification_pdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1940
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:1360
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:1488
        • C:\Windows\SysWOW64\autoconv.exe
          "C:\Windows\SysWOW64\autoconv.exe"
          2⤵
            PID:1588
          • C:\Windows\SysWOW64\autoconv.exe
            "C:\Windows\SysWOW64\autoconv.exe"
            2⤵
              PID:1696
            • C:\Windows\SysWOW64\autoconv.exe
              "C:\Windows\SysWOW64\autoconv.exe"
              2⤵
                PID:400
              • C:\Windows\SysWOW64\autoconv.exe
                "C:\Windows\SysWOW64\autoconv.exe"
                2⤵
                  PID:2304
                • C:\Windows\SysWOW64\autoconv.exe
                  "C:\Windows\SysWOW64\autoconv.exe"
                  2⤵
                    PID:4244
                  • C:\Windows\SysWOW64\msdt.exe
                    "C:\Windows\SysWOW64\msdt.exe"
                    2⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3020
                    • C:\Windows\SysWOW64\cmd.exe
                      /c del "C:\Users\Admin\AppData\Local\Temp\DHL Consgnment Notification_pdf.exe"
                      3⤵
                        PID:1608

                  Network

                  MITRE ATT&CK Matrix

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1608-149-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1940-143-0x0000000000400000-0x000000000042F000-memory.dmp

                    Filesize

                    188KB

                    Download

                  • memory/1940-141-0x00000000010D0000-0x00000000010E4000-memory.dmp

                    Filesize

                    80KB

                    Download

                  • memory/1940-137-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1940-138-0x0000000000400000-0x000000000042F000-memory.dmp

                    Filesize

                    188KB

                    Download

                  • memory/1940-140-0x0000000001550000-0x000000000189A000-memory.dmp

                    Filesize

                    3.3MB

                    Download

                  • memory/2176-142-0x0000000002ED0000-0x0000000002FCF000-memory.dmp

                    Filesize

                    1020KB

                    Download

                  • memory/2176-152-0x0000000008200000-0x00000000082FB000-memory.dmp

                    Filesize

                    1004KB

                    Download

                  • memory/2176-144-0x0000000002ED0000-0x0000000002FCF000-memory.dmp

                    Filesize

                    1020KB

                    Download

                  • memory/2176-153-0x0000000008200000-0x00000000082FB000-memory.dmp

                    Filesize

                    1004KB

                    Download

                  • memory/3020-151-0x0000000002E50000-0x0000000002EE3000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/3020-145-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3020-146-0x0000000000420000-0x0000000000477000-memory.dmp

                    Filesize

                    348KB

                    Download

                  • memory/3020-147-0x0000000000ED0000-0x0000000000EFF000-memory.dmp

                    Filesize

                    188KB

                    Download

                  • memory/3020-148-0x0000000002FD0000-0x000000000331A000-memory.dmp

                    Filesize

                    3.3MB

                    Download

                  • memory/3020-150-0x0000000000ED0000-0x0000000000EFF000-memory.dmp

                    Filesize

                    188KB

                    Download

                  • memory/4796-134-0x00000000053E0000-0x0000000005472000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/4796-133-0x00000000058B0000-0x0000000005E54000-memory.dmp

                    Filesize

                    5.6MB

                    Download

                  • memory/4796-132-0x0000000000960000-0x0000000000A32000-memory.dmp

                    Filesize

                    840KB

                    Download

                  • memory/4796-136-0x0000000008C70000-0x0000000008D0C000-memory.dmp

                    Filesize

                    624KB

                    Download

                  • memory/4796-135-0x0000000005480000-0x000000000548A000-memory.dmp

                    Filesize

                    40KB

                    Download