MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 088cc7491fc68b14d1e883a36a411b992ef71a038526e9b15b820985d3bbb7d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 088cc7491fc68b14d1e883a36a411b992ef71a038526e9b15b820985d3bbb7d2
SHA3-384 hash: 05c4c4c770d8fbeee1e70b8917090ba21588fd573db7723ad724318de6c38c449711a955f8dd5f7c096fa8fc2b64a265
SHA1 hash: 2b1f4c831102d97803a31a9d61ad9ce9b37bb1fa
MD5 hash: ce6a283006e8cb7e5855f2d9bd8ca76f
humanhash: four-pizza-eight-hamper
File name:DHL Invoices_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:456'119 bytes
First seen:2022-01-19 07:18:03 UTC
Last seen:2022-01-19 15:12:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:HwSohziiwJlpu7buU9BmN/N5Zc6/IMKnSq49jcwIVcyEy:6hui4lpu7brsa61rCwI3P
Threatray 10'346 similar samples on MalwareBazaar
TLSH T178A4D0D1F194C8DAE5AB14B2EC2AD5F022966E8CD198564F26D63F0A79B3383105FD0F
File icon (PE):PE icon
dhash icon e8ecaccc14b2db65 (2 x RemcosRAT, 2 x Formbook, 1 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220464/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Creating a file
Unauthorized injection to a recently created process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61e7bb310f8c757253cb7871/reports/a431ae6d-739c-4f67-a321-8d9b387c09a6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/339fae84-5841-4e41-aa26-1051df96a849
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/923136
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/088cc7491fc68b14d1e883a36a411b992ef71a038526e9b15b820985d3bbb7d2/
Threat name:
Win32.Worm.SpyBot
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 07:18:13 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bcgmosi7y2frjupiqorwuqi3texpogqdqutotmk3qieylu53w7ja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
13d4188437fd7caf662393052ef82808bf70cdb5e31fcc2f162ad2dffad377aa
Formbook
29e7d7eec0c8b07eac1b67b2875c1942104495e5e37f8b08fd788d4157376b1b
Formbook
3d9b01acd650801e9f3ff8b3c0676b00d7c58efcfa53ab922cd1642b4a963d96
Formbook
4f64511b423d79682dfad8f6b516516d32e801f0031f07b7e3c6c19798a64b95
Formbook
6846492babd6809fcbf6d1a30ebd47db29061bc23237069ff85a86b406b1abb0
Formbook
83f6ae731d42e5b754955cc68e0289a7b30592e04121cbea6f51a90845c331dd
Formbook
b6766af1afb815c61741089760278a15e9089ae7b14a3537faa4ca6e4ebfdffc
Formbook
bbbb4573dc583a2870aad1d30b310e6e61dae23c5652ae30207a392209d9dd6d
Formbook
ff9c2a9f30d1de620b3b32389ea8efd1f624113ec22ff7055a416539cac2afac
Formbook
+ 10'336 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:quc5 loader rat
Link:
https://tria.ge/reports/220119-h4ytqsfgb8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Unpacked files
SH256 hash:
2016760276966e7d0a1b3ce5eb62661ee8e92f66e5c04da23d3862c7c2e463f2
MD5 hash:
2cb4c00b5b6341dba4b67aa976efbbd2
SHA1 hash:
0d35ccfebfa45994f925c133ef0477cb33619a24
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/75cc2946-2fb2-4897-ba8b-2cb3fd75a9e5/
Parent samples :
088cc7491fc68b14d1e883a36a411b992ef71a038526e9b15b820985d3bbb7d2
d53203021ea88e690e9254aff60634fbafd324c69bebcd705506046e0647eb88
2eba3f9d82559ae0f8d15c141d3844ad3ae4e98c786ab6720506ab3e80565d8f
07569721866b0b2b3d83ec0db9d400f9cd623c51ea30706aaef9e032ec64795e
db9a46ce4d2d56fb75e4990521c1e905526268b1a6f51311bb8ed6cc6a3ee7b1
ffbd8cb5a8779c934324bbee870d6b1d7549d4c6eb358cd67b923aa8a5b21a36
SH256 hash:
2e1ff2053a2bb121107e3dbba19de64e89b1ab399eefa88e1e50e51dc09a70b3
MD5 hash:
c4db460df1b1c80f81bc2bbae4e2c0cd
SHA1 hash:
b7ce4332b8c3ec8b094601a90d533529acf5ff8e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/75cc2946-2fb2-4897-ba8b-2cb3fd75a9e5/
SH256 hash:
8b9011983dbd573047cefa602efdf328a40ea2e232bcd6701ae615c77d24a933
MD5 hash:
6a419213d402729f9679931ab6a44e14
SHA1 hash:
9f2404055f78cbf129b673f6d70a1606f07329ad
Link:
https://www.unpac.me/results/75cc2946-2fb2-4897-ba8b-2cb3fd75a9e5/
SH256 hash:
088cc7491fc68b14d1e883a36a411b992ef71a038526e9b15b820985d3bbb7d2
MD5 hash:
ce6a283006e8cb7e5855f2d9bd8ca76f
SHA1 hash:
2b1f4c831102d97803a31a9d61ad9ce9b37bb1fa
Link:
https://www.unpac.me/results/75cc2946-2fb2-4897-ba8b-2cb3fd75a9e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.63
Link:
https://yomi.yoroi.company/submissions/088cc7491fc68b14d1e883a36a411b992ef71a038526e9b15b820985d3bbb7d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 088cc7491fc68b14d1e883a36a411b992ef71a038526e9b15b820985d3bbb7d2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/220464/

Comments