MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 169e90fc957c42bef2af2bc472799472af795ceeb2bd945e633d5f589e7e6f56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 169e90fc957c42bef2af2bc472799472af795ceeb2bd945e633d5f589e7e6f56
SHA3-384 hash: bb099932e772f2dbf383715b454021f5339b276337e9bb9d6114bab0ff838b248a02dde086b24ffb22db32c90b3b27e0
SHA1 hash: 249f0f9e9371ba0fae56295f98f800df760233c4
MD5 hash: ace696fb471220f69087be15df18548e
humanhash: washington-hotel-october-magnesium
File name:DHL SOA.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:396'288 bytes
First seen:2020-07-22 08:34:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:7FLratxKLD3PUm2iNSTEizbPkRViaR6zE3qy3D3h:7pD3cm1upbPaEo6YzDh
Threatray 5'322 similar samples on MalwareBazaar
TLSH 4884CF10EBF806E9DB6947BAD0625400A7B5791E67DBE70D2B95F0DC0932B818723F27
Reporter abuse_ch
Tags:DHL exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dhl.com
Sending IP: 37.49.230.89
From: DHL Express Service<no-reply@dhl.com>
Subject: DHL OVERDUE NOTICE - 1300003150 [REDACTED_DOMAIN]
Attachment: DHL SOA.zip (contains "DHL SOA.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30943/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/394708
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249760 Sample: DHL SOA.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 88 35 www.generallasers.com 2->35 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected FormBook 2->45 47 2 other signatures 2->47 11 DHL SOA.exe 1 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\DHL SOA.exe.log, ASCII 11->33 dropped 14 DHL SOA.exe 11->14         started        17 DHL SOA.exe 11->17         started        19 DHL SOA.exe 11->19         started        process6 signatures7 55 Modifies the context of a thread in another process (thread injection) 14->55 57 Maps a DLL or memory area into another process 14->57 59 Sample uses process hollowing technique 14->59 61 Queues an APC in another process (thread injection) 14->61 21 explorer.exe 14->21 injected process8 dnsIp9 37 www.veloflambe.com 21->37 39 www.pjhsea.info 21->39 24 WWAHost.exe 21->24         started        27 explorer.exe 21->27         started        process10 signatures11 49 Modifies the context of a thread in another process (thread injection) 24->49 51 Maps a DLL or memory area into another process 24->51 53 Tries to detect virtualization through RDTSC time measurements 24->53 29 cmd.exe 1 24->29         started        process12 process13 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/169e90fc957c42bef2af2bc472799472af795ceeb2bd945e633d5f589e7e6f56/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 08:36:10 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c2pjb7evprbl54vpfpche6muokxxsxhowk6zixtdhvpvrht6n5la._file
Verdict:
malicious
Similar samples:
506381110aba86052e5ddfa191dffe2e533c8be5cd6f7104b96ba642aa038fed
FormBook
5c6d005bb7bd065341b432bf6a27117c76115e18ae10fd21906759d05d05f733
FormBook
635411fb8a81c1232977130d52f6643995799475f35d4d3ecf2c0b74c307c876
FormBook
7890ba83f1cbdd2e461231b4862c15ed80300d361715fecece651094de62bd85
FormBook
7abf73f6d63535a3770a681960124ee32f77d0305cfb82e80da13301829d5b25
FormBook
9047151fe524a34dffeacd46eba66b4b0a87beb7f3e513ba8e5c6ca367ccc505
FormBook
b3349406861e76bfb84f4757a646c3fe94eb5e1cd27abeeffa48aabb6c8fa4d5
FormBook
b43786f175549f7d8aba0d0213181d10a01a54ab6ac8256446b8f39de6022986
FormBook
da418cd645143899691fa8b036073aaa5320a1d6c855699494f4b9b2419fb12e
FormBook
e65997e20f521c8eee713623c45c9600a7a05629c85d73c9dd2bdf696f43e5de
FormBook
+ 5'312 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200722-x2yla8mjpn/
Behaviour
System policy modification
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Adds policy Run key to start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/169e90fc957c42bef2af2bc472799472af795ceeb2bd945e633d5f589e7e6f56

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 6b99c735f0c1e68191cebec7fda94d2f2a3ef4f7748e57b7f1949eca75c5be05

FormBook

Executable exe 169e90fc957c42bef2af2bc472799472af795ceeb2bd945e633d5f589e7e6f56

(this sample)

  
Dropped by
MD5 a148820c682b6ad93066eed12d470b64
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6b99c735f0c1e68191cebec7fda94d2f2a3ef4f7748e57b7f1949eca75c5be05
Cape
Cape
https://www.capesandbox.com/analysis/30943/

Comments