MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05f6779510066abe01358548333beba78195864f07301916ed2ac355610db740. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05f6779510066abe01358548333beba78195864f07301916ed2ac355610db740
SHA3-384 hash: d0efba3364b895a3a126b2b284e9adc5f8341a0ccc8056f99d6b21330074d39303e7f526eb3e3541ece32d3b20be414d
SHA1 hash: 10e76d3995b3be464cef6365129e6c7f23089e36
MD5 hash: c25936a608275a0a3243deb985160e1d
humanhash: stairway-rugby-uncle-skylark
File name:DHL SHIPMENT NOTIFICATION 284748395PD.gz
Download: download sample
Signature Formbook
Create hunting rule
File size:977'123 bytes
First seen:2022-03-21 12:07:33 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 24576:feNK9ofR1/bMRKYu7swmjUmYa1NDCdHw29cUOAP:24ofnAcYu7sXjUmYaOdrcc
TLSH T1F62533CC73E06D07FD2B34B520A198570FCBD772343391199A7328679D8DE6A86AB84D
Reporter cocaman
Tags:DHL FormBook gz


Avatar
cocaman
Malicious email (T1566.001)
From: "DHL Express Malaysia <Malaysia@dhl-news.com>" (likely spoofed)
Received: "from dhl-news.com (unknown [185.222.57.88]) "
Date: "21 Mar 2022 11:01:47 +0100"
Subject: "Ref:103XXXXX Shipment of Original Documents."
Attachment: "DHL SHIPMENT NOTIFICATION 284748395PD.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62386ab0dfdfa8501cc6a881/reports/fa0d8839-6407-47ba-a1cd-7755ab8679c5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05f6779510066abe01358548333beba78195864f07301916ed2ac355610db740/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-03-21 12:08:10 UTC
File Type:
Binary (Archive)
Extracted files:
14
AV detection:
7 of 42 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ax3hpfiqazvl4ajvqvedgo7lu6azlbspa4ybsfxnflbvkyinw5aa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n8bs loader rat suricata
Link:
https://tria.ge/reports/220321-pawkvacber/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/05f6779510066abe01358548333beba78195864f07301916ed2ac355610db740

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 05f6779510066abe01358548333beba78195864f07301916ed2ac355610db740

(this sample)

Formbook

Executable exe 3621aded8ecef2d269382fa26ea42d634a89f6d31de2529207da8024dec74226

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 3621aded8ecef2d269382fa26ea42d634a89f6d31de2529207da8024dec74226

Comments