Overview

overview

10

Static

static

3

ΠΑΡΑΚ...HL.exe

windows7-x64

10

ΠΑΡΑΚ...HL.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    ΠΑΡΑΚΟΛΟΥΘΗΣΗ ΔΕΜΑΤΩΝ DHL.exe

  • Size

    497KB

  • Sample

    230712-g4b5asdb7s

  • MD5

    cad1eb405fa1ac324c712c9090e0c08f

  • SHA1

    7497b8c739994f003d248b8bd2a62d526c1b902d

  • SHA256

    7a55e4b3f800275bc0f7c00cd337d0dd83379ef845fce3fa55b86d68092c1b9c

  • SHA512

    0ed96fb9c3ceb1238d4ea26b206ef22e1aba01b8bf48b3d1074a1411e59db2393373f1c6cfca3dedd8e9b325f8af0dd31a6db6462ba3f79db8600a44cb83a6cf

  • SSDEEP

    12288:sC3+YT7k0PwTrVg0iTYYXQZbnnTOnVm4j5VyP+:sa+YHL41ghXA9iVm4j5M+

Score
10/10
formbookguloaderil09discoverydownloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il09

Decoy

ahy99.com

tmzrygdv.cfd

trainingwithoutnerves.com

loaddirecters.com

elocquinn.com

sunnahscents.com

jogobrgames.xyz

skinkissedaesthetics.com

943465722.xyz

jopkrrub.cfd

kavrex.com

sensori.host

sybrstrmtdiyari.com

ourouba22.app

smilebrandsbreacsettlement.com

72um.asia

kenleyeventdesign.com

mandalastudioonline.com

much2more.com

beckettbees.com

Targets

    • Target

      ΠΑΡΑΚΟΛΟΥΘΗΣΗ ΔΕΜΑΤΩΝ DHL.exe

    • Size

      497KB

    • MD5

      cad1eb405fa1ac324c712c9090e0c08f

    • SHA1

      7497b8c739994f003d248b8bd2a62d526c1b902d

    • SHA256

      7a55e4b3f800275bc0f7c00cd337d0dd83379ef845fce3fa55b86d68092c1b9c

    • SHA512

      0ed96fb9c3ceb1238d4ea26b206ef22e1aba01b8bf48b3d1074a1411e59db2393373f1c6cfca3dedd8e9b325f8af0dd31a6db6462ba3f79db8600a44cb83a6cf

    • SSDEEP

      12288:sC3+YT7k0PwTrVg0iTYYXQZbnnTOnVm4j5VyP+:sa+YHL41ghXA9iVm4j5M+

    Score
    10/10
    formbookguloaderil09discoverydownloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks