MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06b80b5b146259aedc1c2f1da5253e2ad1dadae5ba7577a8cc2ce93191f05fa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06b80b5b146259aedc1c2f1da5253e2ad1dadae5ba7577a8cc2ce93191f05fa1
SHA3-384 hash: c4b9c78db991912ea1be1df29727681117470d21ebf8090e8f729e1b9d45e00ab4e0adeba50edbaaf9ff71ca2604c057
SHA1 hash: 0f483b3fb308168e3af3ce46fcccbde1265da7a3
MD5 hash: 45dfc5671eca20fa6dc4ed9fa70ec804
humanhash: kansas-iowa-ceiling-oregon
File name:DHL Package _00099088.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:520'192 bytes
First seen:2022-07-06 15:58:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'616 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:FFb6dVpuscEVnFF5VZsGTC7HwjG2NtljwhofUYpps5PBbZQ:K5uscMXpTWQjTN/MPypqdZQ
Threatray 15'203 similar samples on MalwareBazaar
TLSH T130B4238BBE4E098FE21653B06D34A9B592F93E13C85A62717CC0311E05D27CF549ABF2
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 2c6c8d2622d9cc74 (3 x Formbook)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/285209/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Reading critical registry keys
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Connecting to a non-recommended domain
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c5b18711764e36f81b4b93/reports/f6d32df7-dd26-4418-9317-1a1a427645ac/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f82f874-a8be-4a51-b4d0-854849dc7789
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1025750
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 658248 Sample: DHL Package _00099088.exe Startdate: 06/07/2022 Architecture: WINDOWS Score: 100 33 www.carolinasportsventures.com 2->33 35 Multi AV Scanner detection for domain / URL 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 10 other signatures 2->41 11 DHL Package _00099088.exe 1 2->11         started        signatures3 process4 file5 31 C:\Users\...\DHL Package _00099088.exe.log, ASCII 11->31 dropped 49 Injects a PE file into a foreign processes 11->49 15 DHL Package _00099088.exe 11->15         started        signatures6 process7 signatures8 51 Modifies the context of a thread in another process (thread injection) 15->51 53 Maps a DLL or memory area into another process 15->53 55 Sample uses process hollowing technique 15->55 57 Queues an APC in another process (thread injection) 15->57 18 explorer.exe 15->18 injected process9 process10 20 cscript.exe 18->20         started        23 autoconv.exe 18->23         started        signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 25 cmd.exe 1 20->25         started        27 explorer.exe 2 156 20->27         started        process12 process13 29 conhost.exe 25->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/06b80b5b146259aedc1c2f1da5253e2ad1dadae5ba7577a8cc2ce93191f05fa1/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-06 15:00:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a24awwyumjm25xa4f4o2kjj6fli5vwxfxj2xpkgmftutdepql6qq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4af6ad9cb7c52362c67750fc09eb98b55e19d1e781ab91b2c8a62071c62eaf97
Formbook
64432a60f19aa2b6365f98fd236200b873770c59e66bf3f25d21c4974f565a65
Formbook
85ec001d82e4c9830edd17193c1afdfeca8505ccf462eed95835eb50d3c048a6
Formbook
9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43
Formbook
a9abf5bb4d461231fec3b318a772380e393aefd63c4dd049b701bd1e4b4f437c
Formbook
b43776e06bb69bbd5171248b0fc82bf9a6cf2641b94717d4ebd77b38333726dc
Formbook
bcc711216f936b8631255ef36c805bd978a55ce3516dce7693393fee91cc8022
Formbook
c78ef90c99097acb04847fe5b99a5ad110e2d8dff9ec7c4caf37e3411a063c2a
Formbook
ded5b8b5d57f0e7d66f85cfd7067af3a22e6ce2877cb4d1fc5eb88963559316b
Formbook
ed02c3de60701f97271c578756211131d9d5e7bc141e77f97abfbe9d64ccc92b
Formbook
+ 15'193 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:q80o loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220706-te3beaeegj/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Adds policy Run key to start application
Blocklisted process makes network request
Executes dropped EXE
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
1bf22069a012c8d24dd456691f1be1869e8c14af8f38e1ce12fa584e9cdb170e
MD5 hash:
d515badeb2c83cc289f66211f888ef8b
SHA1 hash:
ecc0631c87aaea3c0f4914c52500026bfd140ef2
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
XLoader
Create hunting rule
Link:
https://www.unpac.me/results/f5682f12-b7b8-4bb8-bdda-f82914620fe5/
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/f5682f12-b7b8-4bb8-bdda-f82914620fe5/
SH256 hash:
70177eaff44f611736edcb9d0e4e5052838dbc0b86afcc1a93b0c8d72560e614
MD5 hash:
707e991a24f0e9aacb659c9a3c62b276
SHA1 hash:
95276c1f73420c015b047d13f313150e086c9947
Link:
https://www.unpac.me/results/f5682f12-b7b8-4bb8-bdda-f82914620fe5/
SH256 hash:
06b80b5b146259aedc1c2f1da5253e2ad1dadae5ba7577a8cc2ce93191f05fa1
MD5 hash:
45dfc5671eca20fa6dc4ed9fa70ec804
SHA1 hash:
0f483b3fb308168e3af3ce46fcccbde1265da7a3
Link:
https://www.unpac.me/results/f5682f12-b7b8-4bb8-bdda-f82914620fe5/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/06b80b5b1462/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/06b80b5b146259aedc1c2f1da5253e2ad1dadae5ba7577a8cc2ce93191f05fa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/285209/

Comments