Overview

overview

10

Static

static

3

DHL Shipme...10.exe

windows7-x64

10

DHL Shipme...10.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7b8607f60471a33a06ed343cb076b246_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240731-gy3p3avckh

  • MD5

    7b8607f60471a33a06ed343cb076b246

  • SHA1

    44a64d54193aa07432aaeda41f574798f535703c

  • SHA256

    da3a2f5c493aabfba08548ebf199ec7ab8cb247edc1b006a448c153960ac7600

  • SHA512

    50177aaea9664f4f6f4a675a189c1822aae4db94800c5f839b2b8a662eda9c311b919b646539f98e5e7ea8254f4fa079a88a37518a11bb36206f8e01e2dae2ee

  • SSDEEP

    12288:u8nJ2WI0qaqmvK4Cq/hgoMWcAYTf+pPapD7ayR:uE2WI0vq6K4Cq/h+WBqd7ayR

Score
10/10
formbookmq3credential_accessdiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mq3

Decoy

clarksonassistivetech.com

sjzam6.com

designermarken-outlet.online

kampoengkurma.online

shamsmaltdrinks.com

d7r4u1.info

sportsboulder.com

snagabag31.com

am0rsexkreto.com

sj233.com

estaladores.online

icbjesusdenazaret.net

bobi-frs.net

steminvr.com

yoxi.ltd

aaronnational.com

charliezangelzagency.com

rolex218238.com

snacksejuice.com

educationgrants.site

Targets

    • Target

      DHL Shipment Notification 5011586210.exe

    • Size

      358KB

    • MD5

      8ea0022fe9bfb7a53c0650a1991d9420

    • SHA1

      65cca2488da8a1d479e2ef9745a27c7c2495f6c4

    • SHA256

      51e2e890ac898a62cb6478414ac1079df55a036da252026d4f5c8f7f09e400b3

    • SHA512

      c9129be7dcce8b5dd560e7c36d2177c7b5a6a88a41760db693b35d6b0e14d7293faead0c30a3386cd7be8238ac080a8aa59eff6d28a5269f492167a531e5f64f

    • SSDEEP

      6144:zxanJ2WI0ahaqmvK4Cqwpu/e+gnoGpob9cAjkTfpYpPapkSd9ug7x8nInfxD6MR:z8nJ2WI0qaqmvK4Cq/hgoMWcAYTf+pPK

    Score
    10/10
    formbookmq3discoveryratspywarestealertrojancredential_accesspersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Formbook payload

      rat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks