MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03632b99b5401681e8dacf45710bfce9919f840843b836bad53c3113dacb097e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03632b99b5401681e8dacf45710bfce9919f840843b836bad53c3113dacb097e
SHA3-384 hash: bd0ac034bade8d641eb7da2cf6cf23da6c56a057a3dbb91cd0cea11766e05c176c1006af6051da82c1d3919ecd2b6231
SHA1 hash: f0e02a8b4d6f043567a96287d920ca13fe883908
MD5 hash: b1318a347ad582746fdb9b1eac6e8d96
humanhash: pizza-sweet-william-pasta
File name:DHL SHIPPING DOCUMENT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'079'808 bytes
First seen:2022-04-08 09:30:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4116ae7b3160bb7c72cca76cb8e5eb22 (5 x Formbook, 5 x DBatLoader, 3 x ModiLoader)
ssdeep 12288:33NcL6BFE+1exrI13sasf0iLBBejqqB7WLjq716TnT0tyB3h2FZec4qOjF:3aj4eisasTBorATnT00WFby
Threatray 17'196 similar samples on MalwareBazaar
TLSH T1BF358D23FB496833D8321A395E0F67A95535BD033D2494062AE26D5CEEF73827939783
File icon (PE):PE icon
dhash icon b2b1f1ecccce9c98 (8 x Formbook, 6 x DBatLoader, 5 x ModiLoader)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL SHIPPING DOCUMENT.exe
Verdict:
Malicious activity
Analysis date:
2022-04-08 22:15:21 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/fb2eb183-dae6-436d-8eee-711877ce04bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262018/
Detection(s):
Win.Trojan.Pwsx-9943091-0
Create hunting rule

SecuriteInfo.com.W32.AIDetect.malware2.28889.30456.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13167/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe fareit greyware keylogger packed replace.exe
Link:
https://www.filescan.io/uploads/625000d9bbd90911a29686d0/reports/7138e783-87ab-4ab6-bc16-e737c73fbf83/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac27a015-07fc-4f5a-a76f-23b4b85a5c69
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/973247
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 605739 Sample: DHL SHIPPING DOCUMENT.exe Startdate: 08/04/2022 Architecture: WINDOWS Score: 100 60 www.telenor-no.com 2->60 62 www.anilkirana.com 2->62 64 anilkirana.com 2->64 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for URL or domain 2->108 110 8 other signatures 2->110 11 DHL SHIPPING DOCUMENT.exe 1 20 2->11         started        16 Ghxtjsj.exe 15 2->16         started        signatures3 process4 dnsIp5 70 i-db3p-cor004.api.p001.1drv.com 13.104.208.162, 443, 49776, 49778 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->70 72 skhogg.db.files.1drv.com 11->72 78 4 other IPs or domains 11->78 52 C:\Users\Public\Librariesbehaviorgraphhxtjsj.exe, PE32 11->52 dropped 116 Writes to foreign memory regions 11->116 118 Creates a thread in another existing process (thread injection) 11->118 120 Injects a PE file into a foreign processes 11->120 18 logagent.exe 11->18         started        21 cmd.exe 1 11->21         started        74 i-db3p-cor003.api.p001.1drv.com 40.90.136.179, 443, 49788, 49790 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->74 76 skhogg.db.files.1drv.com 16->76 80 4 other IPs or domains 16->80 122 Multi AV Scanner detection for dropped file 16->122 124 Allocates memory in foreign processes 16->124 23 logagent.exe 16->23         started        file6 signatures7 process8 signatures9 82 Modifies the context of a thread in another process (thread injection) 18->82 84 Maps a DLL or memory area into another process 18->84 86 Sample uses process hollowing technique 18->86 88 2 other signatures 18->88 25 explorer.exe 18->25 injected 29 cmd.exe 1 21->29         started        31 conhost.exe 21->31         started        process10 dnsIp11 66 accurecharge.com 136.144.202.239, 49811, 80 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 25->66 68 www.accurecharge.com 25->68 112 System process connects to network (likely due to code injection or exploit) 25->112 114 Uses ipconfig to lookup or modify the Windows network settings 25->114 33 Ghxtjsj.exe 15 25->33         started        37 cmmon32.exe 25->37         started        39 help.exe 25->39         started        43 2 other processes 25->43 41 conhost.exe 29->41         started        signatures12 process13 dnsIp14 54 i-db3p-cor006.api.p001.1drv.com 13.104.208.165, 443, 49792, 49795 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->54 56 skhogg.db.files.1drv.com 33->56 58 4 other IPs or domains 33->58 90 Writes to foreign memory regions 33->90 92 Allocates memory in foreign processes 33->92 94 Creates a thread in another existing process (thread injection) 33->94 96 Injects a PE file into a foreign processes 33->96 45 DpiScaling.exe 33->45         started        98 Modifies the context of a thread in another process (thread injection) 37->98 100 Maps a DLL or memory area into another process 37->100 102 Tries to detect virtualization through RDTSC time measurements 37->102 48 cmd.exe 1 37->48         started        signatures15 process16 signatures17 126 Modifies the context of a thread in another process (thread injection) 45->126 128 Maps a DLL or memory area into another process 45->128 130 Sample uses process hollowing technique 45->130 132 Tries to detect virtualization through RDTSC time measurements 45->132 50 conhost.exe 48->50         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03632b99b5401681e8dacf45710bfce9919f840843b836bad53c3113dacb097e/
Threat name:
Win32.Worm.AutoRun
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 17:09:43 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=anrsxgnvialid2g2z5cxcc745giz7baiio4dnowvhqyrhwwlbf7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3e25c1a249031c7ec06d4d6ad15a9dcd9f6cf0a72053663ebdd7a31eafb59c35
Formbook
464fb0b39e6e803f8e032a0380fa66babe20032affda8b5dbf0f8fd687526443
Formbook
6e0e8d1cb340a26f3e8294c7b07ce486b56afcabfb90b7e20e4331b6384a85ce
Formbook
805d05e4bc4ea60742052443cb9e2a4b3527aee8f311862ed37ec98559884555
Formbook
8f9f3e0d7eebe0304aeb35eb75be87c7bfe13859e00851df037f54d14765cbb9
Formbook
8fb9ddc78aef013fcbc8ff38135972fdacf66a871cc4b42f719efefe2255219f
Formbook
b161e9594ef8849e7a1c09a801b5d248cfff6b08c65ed6459dda75b25fdeafee
Formbook
+ 17'186 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:a9hs loader persistence rat trojan
Link:
https://tria.ge/reports/220408-lg2hwsbeb8/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
4f921407dc157cd3ec27cf0bfb6bba1e1b5463076526378fa65e8121288a774b
MD5 hash:
f125d9101ccc3b42b5a847f8182b85e5
SHA1 hash:
c2f18fe8876110488df97d0818e0dd3cb89b0105
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/033b554c-0c99-4774-bd36-92778d1bb54e/
Parent samples :
3e25c1a249031c7ec06d4d6ad15a9dcd9f6cf0a72053663ebdd7a31eafb59c35
710c03f2e039d3bde583d2fa87faa58d17cbe6655a31b1e4e7890bf9687952c5
3bdc8a2cdae7fb2ab12ead1f0ced298aefb6cdcd9d35e88295a71192e193d481
805d05e4bc4ea60742052443cb9e2a4b3527aee8f311862ed37ec98559884555
571776f9f0168eb83034055ce51c1c72d1dcc6cb10445ac4de70104f97a170ff
2bc652d367cd94c0eb550959e49567754d73f8eb19a485cc229ffe4caab5605d
afb058fdd8aa200fe754289c9b48d8876f4bbd7cbcefc964742d76c32a990340
7ac202314f674281f31bad6e38a61c4bdd54c07f14b6dfd260d0665b8f2d0fa5
4690e84717b8b884bec65eddf700c6c99cfd19ebacbeadd766f9c3088c291112
03632b99b5401681e8dacf45710bfce9919f840843b836bad53c3113dacb097e
7cb6095dfefda254e0f96c3613cddcbcff7ce50b57a78e7f369d846d222eef49
82fc93baeea70f5e1c60ea976212b5cd2a33402ede66cd0efb059eaa5fae8150
b931f34008a112398ad48f0bd4e2e955dd7385bcc5cafd41cdb2220f26bddc44
6353828ddb8f70dd9a535d3314ac328b044539563334f093173b86fd96e24707
687b7b359a5cac51eeb2d8bd04b147bdca3af96f148c2e560b3aff235d48e6b0
bea87dfd8f3d79c5948163bb57da34a9c86b798817c9e5b9c8f169175b3f2a33
27309bb8844a4d48af2527787b781fdac2917d6f75f870743428a3e7aa44fc1a
fcc249e21fb278d56fcc3758f3b5f3730420688791b2195255ae8e6cc4bc5334
a421a1405a23a9e8e3807cee8c264a3068171e19f01f3d00e318a1757024db18
ee0e3ef0d4e024fee83ad9744a0c2fda54ea009c099144d7f3f5972b0e3c7c4d
4f921407dc157cd3ec27cf0bfb6bba1e1b5463076526378fa65e8121288a774b
70784bb09d094929ecd5666ae8d5ee613c7dbee18a21b009595f0b19777f5ec5
3f402617d9bbe740d49a4c0e0b17e4c704a11f04ad5c708a08c5a6988e7c181f
c122639d652908b10751cb546a1c48e753427aa4d74f6a638fcb6c829b65e12f
5a66917ff5fd5809f0c83a8240aeb983799f54916c0f45d2f1af61de5b7741f1
ac749d4dc15be0711d85256e946a41958427a7468dc3e15f0069d3691364c45a
c130e105a03b4d144a63a8be13f6c84aa4bb01df2a566756e022e79bec487c20
6a52acf5de13a2c4d6fa927727fb868db6d97220c5eb837ca307d19c0b7cf128
9ef6b1868ca09cf927398496746dc5c1e73980fe7e3c1ffe4f45004a1f11d16b
75b7d30e6f26fbb3fbac284ed75356cc874e73365764130209d4937d80a6c80d
08c0273e2bd04a047d150303d4cd05076c2d2877afa82543ce43fc8296d86a7c
dcccbb97201914164dc8bed003f14daadfa300a6206b7ce835f6c7ee8b686405
3e755ebc4b3e451616df6473cf0f804e3c0d79e06e4f7bd54f94544848961f12
d228e18c458c31492267b3167e1bde3b8702de493ea612d0ecf400835f490982
6097ee7a7f386804b11c435db24b34c3e54bb26b4cb4569c6c8c06f471513c73
c97ea7770bdc793b6e4f5ecdd0ab4454b51475faebb2368f338f620b353a0db1
6db572b2a372da55a29c00656ffdc03d279b01a57eaf854f58441847d3915ebc
9ea23f24620fd64243f22df105d30b97810377238aed2fd83aa31665198175db
26b24f28b0173c020071085d65b260207d5856a8a93c1c1acce7d5cca5e8835f
101159b2df3d82639b34a56f1b72524504492b91c80543689484a6e4ead0848c
a51e73ec5bca72dcebd78f128e76fa4bcb942ee0509d9c549e721806301a3e13
5be80161a65053eed5a2e9f84fd3c28eed3b40df540614ac86b56f6c5a3a5233
c27f65a625e611d0d29febe606a4e48421b30085f1536fe18fa8d41e665ccced
240970ef6292a02db1cd7c6fec1aa55036b11a20a3bed21318a056f9063e5088
SH256 hash:
47b0808dc672bdab43262faac9ee31d26f18ecd0527419ee9a8ded53e508e2b9
MD5 hash:
6339f06b4dea9250f8009b63ddee95e6
SHA1 hash:
b010c6e985916d5b1c4148870a7093ad324e06ff
Link:
https://www.unpac.me/results/033b554c-0c99-4774-bd36-92778d1bb54e/
SH256 hash:
03632b99b5401681e8dacf45710bfce9919f840843b836bad53c3113dacb097e
MD5 hash:
b1318a347ad582746fdb9b1eac6e8d96
SHA1 hash:
f0e02a8b4d6f043567a96287d920ca13fe883908
Link:
https://www.unpac.me/results/033b554c-0c99-4774-bd36-92778d1bb54e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/03632b99b540/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03632b99b5401681e8dacf45710bfce9919f840843b836bad53c3113dacb097e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/262018/

Comments