MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9089afb7795019bd9b1a2395b387a6c9957d499f10ff2929bf8d65c9913f453. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9089afb7795019bd9b1a2395b387a6c9957d499f10ff2929bf8d65c9913f453
SHA3-384 hash: ce63df3142297689a15d9571674821bc8033208be04fdb344106fc14dc8648a06ed2fd37cea8622cdfa913cf34a26d6c
SHA1 hash: f988a207b742d8ed9ab62a2879a3190475803795
MD5 hash: fbd84a5e2b4e9448318e1cdf73bb9f78
humanhash: red-massachusetts-butter-shade
File name:DHL Shipment Notification Status AWB811470484778.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:380'416 bytes
First seen:2020-07-06 15:10:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:2JdPQ7SkG7i+n3HAApBz+HVldhvbaskV/nFlVFM31XrgLOAMgSVr/6A8krZzj2QF:2Qu7Pn3Vkn9kV/nFlVc7sMgXlklhoK
Threatray 5'089 similar samples on MalwareBazaar
TLSH A584D0760285BECEF77D4E78C15422404DB92D2BAB30D959FDC431C922B6754EEB8A31
Reporter abuse_ch
Tags:DHL exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dhl.com
Sending IP: 45.143.222.143
From: DHL INTERNATIONAL <no-reply@dhl.com>
Subject: DHL Shipment Arrival Notification redacted@threatwave.com
Attachment: DHL Shipment Notification Status AWB811470484778.zip (contains "DHL Shipment Notification Status AWB811470484778.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21706/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Reading critical registry keys
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a9089afb7795019bd9b1a2395b387a6c9957d499f10ff2929bf8d65c9913f453/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 04:57:24 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=veejv63xsuazxwnrui4vwod2nsmvpvez6eh7feu37dlfzgit6rjq._file
Verdict:
malicious
Similar samples:
00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35
FormBook
0d271903774ae9467d80cad6fcaec4d2ea4653b8eb4c28e0a1c7dbe0849ccd01
FormBook
112b6fe2084ca3501c8a98a9cd90f60ce691a438864be736b049062379195818
FormBook
33c7844de9677b2c4be5d2a81442404c46ed64d8e0f11214005aee8b7dd2c9be
FormBook
7fcf92c7dcd71c8dd4d0b073877afb90075305390ccf6e3a50ca598211e0469f
FormBook
82a761b4157d1fa4e99dbf36c0f30935b19a1dd9875e330d81a70877aa07bc8a
FormBook
a4fb872505b79e9ecf7b8f1a2c4081e2e31edee3b4c5f30748fdfb0973ae21c6
FormBook
afc658f07e5da5c8071754e973e37fb7712e1f13a5a23a6baf440cd35e60fd76
FormBook
cd48e7228ffe8ca44b77d71d3fabd0d77b07a7c6cae4239ea83568389c20731d
FormBook
df745e4434b953ab404e59ef73608a9f3148fa7d629a28b7401c295efdf618b6
FormBook
+ 5'079 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200706-cey7zze4cj/
Behaviour
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
System policy modification
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Deletes itself
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip a14b0ace569280573dd7d900591897e4613914456187a9d5e99fdb8c4d8860ed

FormBook

Executable exe a9089afb7795019bd9b1a2395b387a6c9957d499f10ff2929bf8d65c9913f453

(this sample)

  
Dropped by
MD5 1fa925a276ecd363de8fa869c9281bf6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/21706/
  
Dropped by
SHA256 a14b0ace569280573dd7d900591897e4613914456187a9d5e99fdb8c4d8860ed

Comments