General

  • Target

    URMĂRIREA DHL.exe

  • Size

    504KB

  • Sample

    230711-qext5sac41

  • MD5

    bb1b176981654681cc6321b31d4ec366

  • SHA1

    f4b9868b0cf8290ea7ec2b4e1e91e36d8294571c

  • SHA256

    bf10226e9ddcf64215ca45ede48c6a2d61fbfe2cb3e1cea7f0ebee38e6a3c707

  • SHA512

    3a5bb06e2995f994d0796456ac8c8fa20bd18e196ac2e4274f988e47b6c321a0fb5fcbe731d2fe698280acd675489902c048c695b2cf3b326f72a019d638eff5

  • SSDEEP

    12288:sC3+YT7k0PwTrVg0iTnKqvdmVVN62YDJk0cNhKZR:sa+YHL41gh7vdmDN62YDBczy

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il09

Decoy

ahy99.com

tmzrygdv.cfd

trainingwithoutnerves.com

loaddirecters.com

elocquinn.com

sunnahscents.com

jogobrgames.xyz

skinkissedaesthetics.com

943465722.xyz

jopkrrub.cfd

kavrex.com

sensori.host

sybrstrmtdiyari.com

ourouba22.app

smilebrandsbreacsettlement.com

72um.asia

kenleyeventdesign.com

mandalastudioonline.com

much2more.com

beckettbees.com

Targets

    • Target

      URMĂRIREA DHL.exe

    • Size

      504KB

    • MD5

      bb1b176981654681cc6321b31d4ec366

    • SHA1

      f4b9868b0cf8290ea7ec2b4e1e91e36d8294571c

    • SHA256

      bf10226e9ddcf64215ca45ede48c6a2d61fbfe2cb3e1cea7f0ebee38e6a3c707

    • SHA512

      3a5bb06e2995f994d0796456ac8c8fa20bd18e196ac2e4274f988e47b6c321a0fb5fcbe731d2fe698280acd675489902c048c695b2cf3b326f72a019d638eff5

    • SSDEEP

      12288:sC3+YT7k0PwTrVg0iTnKqvdmVVN62YDJk0cNhKZR:sa+YHL41gh7vdmDN62YDBczy

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Formbook payload

    • Adds policy Run key to start application

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks