Overview

overview

10

Static

static

DHL AWB-50...22.exe

windows7-x64

10

DHL AWB-50...22.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DHL AWB-5024310182_061222.exe

  • Size

    788KB

  • Sample

    221206-rmvkeshf7z

  • MD5

    4bc8ce54beb8016d78f09425034b3d03

  • SHA1

    8a3f23548ac66a45a5fba76561757df9bb301c8b

  • SHA256

    ec4741cb3671f0c7563788e27e03fd2cfae2b7470108cbf9e1603b138d034a11

  • SHA512

    2f24cb9e3246826dd851723de0ecfcc561621c8ebe0111d509e1d42fa69967b49ad9f288d2e172a7b56744368d91344da0cacfc7bdfd8b568e20da56c94d6711

  • SSDEEP

    24576:momxiPQFQNWbvquj44kgP6Y/mXYGAsjl:moKmQSNWbvn4hs/y

Score
10/10
formbookd8axratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

d8ax

Decoy

wQDD4HkJc+vErnk=

j7vdn039QTY5Gcs43SDb8R4gwLgFCI7s

ZqPN0enMl4As

kKK00fOMq6KZmHv6kZjEiTm3l1o=

CxCTti/0Dcs5qly/AVHoTg==

5TwVtD3wcevErnk=

/ieoWNXMl4As

caK67QvHGhmiEuKpidX2RA==

Bbyy3J6D1Qw=

LV5N2gOocvpbA/OB/w==

k7k2OMNsBY67libDOi4=

wuDokhS1jLo4mA==

RVGz6anMl4As

la40BCHFwoI/rpugbdoaWQ==

XmVnfY0nNACG5si5u8Ds6F79xw==

dpyQTuytl0/bShsFIYUaHRzIL4quYwxgTA==

yvmesDDPpTSrLhf5GlvvdaCZekhAsg==

obTEXhervaSWkSbDOi4=

ClZogXcOT1DcPyvgOKJM

Drlokv/cjLo4mA==

Targets

    • Target

      DHL AWB-5024310182_061222.exe

    • Size

      788KB

    • MD5

      4bc8ce54beb8016d78f09425034b3d03

    • SHA1

      8a3f23548ac66a45a5fba76561757df9bb301c8b

    • SHA256

      ec4741cb3671f0c7563788e27e03fd2cfae2b7470108cbf9e1603b138d034a11

    • SHA512

      2f24cb9e3246826dd851723de0ecfcc561621c8ebe0111d509e1d42fa69967b49ad9f288d2e172a7b56744368d91344da0cacfc7bdfd8b568e20da56c94d6711

    • SSDEEP

      24576:momxiPQFQNWbvquj44kgP6Y/mXYGAsjl:moKmQSNWbvn4hs/y

    Score
    10/10
    formbookd8axratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks