MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b6267e9733bf74cb555493e85cfe2391d3ca07a94d054421b0bb76a1d892a7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b6267e9733bf74cb555493e85cfe2391d3ca07a94d054421b0bb76a1d892a7c
SHA3-384 hash: 72592b718512761d94541defbc849828155bb4a6825cd4aaadbffc7a18652420666c7ccecff2414050a0bfee03d33b85
SHA1 hash: 2d845255242b534ea3a8e97bd9cb25704ad7be15
MD5 hash: 268cb5837897650c65ffe921e83d0dbd
humanhash: mountain-apart-oven-avocado
File name:DHL_Receipt.AWB811470484778.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:388'096 bytes
First seen:2020-07-22 13:31:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:qmqqcLrat5BTPqriPUm2GhNAr/lvlf6dHARiHCZCoQa67GHc4WC84sXdPUkHDjhu:qFLratwiPUm2iNSrR4oQa674WC5+1U+o
Threatray 5'488 similar samples on MalwareBazaar
TLSH 3F84CF10FBB806D9DB5947BAE0661510A7B5741E63EBE70D2B91F4DC0936B408B23F27
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31187/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching the process to change network settings
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/395109
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249908 Sample: DHL_Receipt.AWB811470484778.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 96 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected FormBook 2->40 42 Modifies the prolog of user mode functions (user mode inline hooks) 2->42 10 DHL_Receipt.AWB811470484778.exe 1 2->10         started        process3 file4 28 C:\...\DHL_Receipt.AWB811470484778.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 14 DHL_Receipt.AWB811470484778.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 vmsp.gallery 198.54.115.176, 49724, 80 NAMECHEAP-NETUS United States 17->30 32 www.vmsp.gallery 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 chkdsk.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b6267e9733bf74cb555493e85cfe2391d3ca07a94d054421b0bb76a1d892a7c/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 11:26:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rnrgp2lthp3uznkvje7ilt7cheotzid2stifiqq3bo3wuhmjfj6a._file
Verdict:
malicious
Similar samples:
130a1070851bfc4e41ace49185b630338cd5c108a53e0d46d09a0abb258ece6f
Formbook
2bd1995c8c2b3f35906807ce4697151cf801af339579cd7b86e467df6474dafa
Formbook
33c7844de9677b2c4be5d2a81442404c46ed64d8e0f11214005aee8b7dd2c9be
Formbook
5a8f518c22d4dc299a5e734663d77456864ca4eddb7c81ddf3f6e759363883c5
Formbook
6dcf4557563343e881daf4b7d7b01e372457cee637ac001a1102a2e67a69cbf8
Formbook
82a761b4157d1fa4e99dbf36c0f30935b19a1dd9875e330d81a70877aa07bc8a
Formbook
a9089afb7795019bd9b1a2395b387a6c9957d499f10ff2929bf8d65c9913f453
Formbook
afc658f07e5da5c8071754e973e37fb7712e1f13a5a23a6baf440cd35e60fd76
Formbook
cd48e7228ffe8ca44b77d71d3fabd0d77b07a7c6cae4239ea83568389c20731d
Formbook
ecb66b3c2799764e4b3a10e4197fe47f1fe3f60ab10ad1c76733d712fb674873
Formbook
+ 5'478 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200722-x3xhv9w73e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
System policy modification
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b6267e9733bf74cb555493e85cfe2391d3ca07a94d054421b0bb76a1d892a7c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/31187/

Comments