MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0285ce41301dcc6dfcf076c3a5897010a2c3c52f24016c2464a52d9124d5467b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0285ce41301dcc6dfcf076c3a5897010a2c3c52f24016c2464a52d9124d5467b
SHA3-384 hash: 59e5e4e2f166f54a57b9de6299c7eefad42d623c5219bc58b1203f7291bc34ae575c4b173a8cba99dc20d01ef94278df
SHA1 hash: 4fd7121e3519410fa332f2a77c42231d652ae146
MD5 hash: f8e57af5231bd04626f7503ebdd03562
humanhash: mars-william-undress-pluto
File name:DHL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'499'648 bytes
First seen:2022-05-13 09:38:51 UTC
Last seen:2022-05-13 09:47:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:+0i+IcJxHlaUMI74pxqAwVDYQpnj5/plKZ2TcbdgS0nv:Zi+Ivn0ZV95/plKZ2Tcbedn
Threatray 5'418 similar samples on MalwareBazaar
TLSH T18F655C4C63CD8105DCB0D772EDB937D32763C77A6951A7026285763AC82F3ED2A40A9E
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter cocaman
Tags:DHL exe FormBook


Avatar
cocaman
Malicious email (T1566.001)
From: "DHL EXPRESS<track@maildelivery.com>" (likely spoofed)
Received: "from maildelivery.com (unknown [104.223.33.145]) "
Date: "13 May 2022 11:45:58 +0200"
Subject: "Incoming Shippment Notification"
Attachment: "DHL.exe"

Intelligence

File Origin
# of uploads :
3
# of downloads :
632
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270386/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/627e274d804c0977d3ea6665/reports/1dad8855-bead-4327-880c-582e09048664/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9de7a68f-b68c-4155-8c00-8b4372115503
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993475
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 625975 Sample: DHL.exe Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Antivirus detection for URL or domain 2->23 25 6 other signatures 2->25 7 DHL.exe 1 2->7         started        process3 signatures4 27 Encrypted powershell cmdline option found 7->27 10 WerFault.exe 23 9 7->10         started        13 powershell.exe 15 7->13         started        process5 file6 17 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 10->17 dropped 15 conhost.exe 13->15         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0285ce41301dcc6dfcf076c3a5897010a2c3c52f24016c2464a52d9124d5467b/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2022-05-13 00:50:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=akc44qjqdxgg37hqo3b2lclqccrmhrjpeqawyjdeuuwzcjgviz5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0bc2d39e3f0460d299a315cb249fd7f0d863325f8bf666355cac323847a34bbb
Formbook
2c1f7f0978626db12ac76acd5c10d55d13976c43483baa257e8bd59c337c0b69
Formbook
41534cbdad51e3ae39a1346396ff9706c1e24a27a8051f2bb4c92148edb741d8
Formbook
661db4c325029f3b5e236d2812ff575e87419791b74af69621ff777de17de348
Formbook
9cfab08135de6aa4d1635ad9e3aebc7bdf8063546c32c9d0f09efb59558ce3c0
Formbook
b78667f1cef6431d75363f045981883b31b0e10925b4218b392c3fa5f044735e
Formbook
d4228fb80428de5db9495b19ed4a9366bd3120ba5889eecd82f4a0b1d827f81a
Formbook
e2b6d03b8580b415e56ab917eb2f131d1b1086bbcc9fee88c390ec3469ed12e6
Formbook
+ 5'408 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:64pf loader rat
Link:
https://tria.ge/reports/220513-lml1dsecf7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Xloader Payload
Xloader
Unpacked files
SH256 hash:
7be996a0d29a59552e222a59344f4b6f67f75ec85a91746f4e91aa2546786b79
MD5 hash:
f7a084c08193293cdf9ffc26e9469b2c
SHA1 hash:
1c57bb4fa8331e6d6c76253947fc7ed3265cf668
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f24e62d2-1153-4b75-8a71-2dc505141e39/
Parent samples :
0285ce41301dcc6dfcf076c3a5897010a2c3c52f24016c2464a52d9124d5467b
879ff48aeaeee7c94d11e1988c282be172b994b2ad436f966937ffe6e3258275
SH256 hash:
22b633f070cd72d20307818fabb593c7e56c1e114ddb96d21292b2a3dbf75692
MD5 hash:
0f841c485226f5932d380ee6cdcb5a38
SHA1 hash:
f100994074247d3542313f90c5fa2a08647bc8c8
Link:
https://www.unpac.me/results/f24e62d2-1153-4b75-8a71-2dc505141e39/
SH256 hash:
b8847615faefa3a49239322425159305fb5c427fb5ba58119e5627e50f436b44
MD5 hash:
218cfc2d297dc8f2abfa08fdf6af7e22
SHA1 hash:
9070662b46a47627ecbc78583e205ced22d0162d
Link:
https://www.unpac.me/results/f24e62d2-1153-4b75-8a71-2dc505141e39/
SH256 hash:
0285ce41301dcc6dfcf076c3a5897010a2c3c52f24016c2464a52d9124d5467b
MD5 hash:
f8e57af5231bd04626f7503ebdd03562
SHA1 hash:
4fd7121e3519410fa332f2a77c42231d652ae146
Link:
https://www.unpac.me/results/f24e62d2-1153-4b75-8a71-2dc505141e39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0285ce41301dcc6dfcf076c3a5897010a2c3c52f24016c2464a52d9124d5467b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0285ce41301dcc6dfcf076c3a5897010a2c3c52f24016c2464a52d9124d5467b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/270386/

Comments