MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 025b76eafdfd8005a31511b34f740d6a6a5f26061377484b7b05ad40369ee1c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 6
| SHA256 hash: | 025b76eafdfd8005a31511b34f740d6a6a5f26061377484b7b05ad40369ee1c1 |
|---|---|
| SHA3-384 hash: | 6d031dfcbe9569acb59603a72938128ad536f3e34dae4effc5fe99afd55b0a6ae9393daf7a7216c770368e3e591fb545 |
| SHA1 hash: | a4533f7fafc5ee846900079cafd293b0ef61a693 |
| MD5 hash: | 8da6ba9da6a58da064875e86c203aae4 |
| humanhash: | equal-fix-king-bulldog |
| File name: | DHL Express Duty Charge, AWB & BL.ZIPX |
| Download: | download sample |
| Signature | Formbook |
| File size: | 460'366 bytes |
| First seen: | 2022-11-23 07:49:48 UTC |
| Last seen: | Never |
| File type: | zip |
| MIME type: | application/zip |
| ssdeep | 12288:ylPDn1nkcglUfokwwTh/TUtpCfimF/D9wj01obPvMy:ylPT1njEUfoJ+XfDFR9OPky |
| TLSH | T151A423D7CEDBC514E664F232AB24ED18FE8543DD24CE526A6F17D4614286B670CC01F9 |
| TrID | 80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1) |
| Reporter |  cocaman |
| Tags: | DHL FormBook zip zipx |
cocaman
Malicious email (T1566.001)From: "DHL Express <support@bluehost.com>" (likely spoofed)
Received: "from mail0.glomac.co (mail0.glomac.co [85.208.136.109]) "
Date: "23 Nov 2022 03:38:03 +0000"
Subject: "Fwd: Original DHL Bill of Lading-PL/CI/BL-Documents arrival"
Attachment: "DHL Express Duty Charge, AWB & BL.ZIPX"
Intelligence
File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
File Archive Information
This file archive contains 1 file(s), sorted by their relevance:
| File name: | DHL Express Duty Charge, AWB & BL.exe |
|---|---|
| File size: | 594'752 bytes |
| SHA256 hash: | 12748aea84778652c1b2fef43117bdb42de3061f4a4376927ca27154cce42013 |
| MD5 hash: | 53f6cb13cf941ca18bc398d32f845579 |
| MIME type: | application/x-dosexec |
| Signature | Formbook |
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Link:
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Binary.Trojan.Nemesis
Status:
Malicious
First seen:
2022-11-23 07:50:50 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
4 of 41 (9.76%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook campaign:h8t0 rat spyware stealer trojan
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Formbook
zip 025b76eafdfd8005a31511b34f740d6a6a5f26061377484b7b05ad40369ee1c1
(this sample)
exe Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.