MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 098e2e5d1fa98d106c36ed3e7e1e632afd7ae0e10442fa0dabf2f6ed8c9c18b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	098e2e5d1fa98d106c36ed3e7e1e632afd7ae0e10442fa0dabf2f6ed8c9c18b5
SHA3-384 hash:	1e2240f8740bee6f0db83f7c2b3431d792885c90391c7c855c010d7346ae6ac67f981683f1ff06b49a5a8023566d3b5c
SHA1 hash:	0d11d85a0cf13637a7f56a3b6b4417f5b4d23f3b
MD5 hash:	0074e3ea80dbccc795e03ac9e5ffb8b3
humanhash:	three-nuts-earth-zulu
File name:	DHL INVOICE.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	475'136 bytes
First seen:	2022-01-20 08:13:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:KdxWx9RkYiLThz/SE1uctNmYQq7nYfcJ:KbWx9A7SKuSmYQq8U
Threatray	12'785 similar samples on MalwareBazaar
TLSH	T160A4CF077BDEC622C269673384EF800447B8EE916A53DB0E3DD873BC192275B9A4535E
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/220976/

Detection(s):

Win.Packed.Malwarex-9936906-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61e919d00f8c757253cfbb92/reports/ddc04991-f463-40c7-a7fd-ab6b03fc7f41/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e8cc8aa6-63ed-4885-bfc7-482acf06def2

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/924121

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/098e2e5d1fa98d106c36ed3e7e1e632afd7ae0e10442fa0dabf2f6ed8c9c18b5/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-19 10:45:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bghc4xi7vggra3bw5u7h4htdfl6xvyhbarbpudnl6l3o3de4dc2q._file

Verdict:

malicious

Label(s):

formbook

Formbook

10ff5c8bac827b012bc5b6f789e7c23913b662453cd0bcc7f3f5192260d7a950

Formbook

3ac2da7ec8b0c46550c9b85707c4743ea4cacbb5bb6ee0fd159792f3978e3ad3

Formbook

41baa5cad8fb3ecbaa97116421042ba41a024823638e9b7608c5ac2e2a339525

Formbook

5ec2107b1399b50f3ed23e72228f1a74ab9898191a23431c8a4cbff7b73af998

Formbook

81dc0dc902eb39bef1ff536e63644fac0d6aa928a200718185aaa21c137c7458

Formbook

82dd41529ae86f25911df1f4b3b032008b7bc7af33b47c5367863bde1291a410

Formbook

86df15ac78abc1d224a4249db72d29dcb2979fd0669a15c0d291e47648dc0c1c

Formbook

bb8e1d48225b002a4da7d0c33051e7fc457e244ed610f536b87702439d978a46

Formbook

bbbb4573dc583a2870aad1d30b310e6e61dae23c5652ae30207a392209d9dd6d

Formbook

+ 12'775 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:uite loader persistence rat

Link:

https://tria.ge/reports/220120-j41h1ahab6/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Sets service image path in registry

Xloader Payload

Xloader

Unpacked files

SH256 hash:

f05c06604cc582010ceae93b62a628378b5dac81afde261d1f520afcdf19cc59

MD5 hash:

cbaf9a05e0f74f456eeaaca7b9f5703f

SHA1 hash:

dded0c10d3ebaf8d33fbf4f13c3ebe0749e36bbd

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/9498ca56-4cdc-437b-bce8-33125180ee9c/

Parent samples :

c9277579c2b441a9dd25231630cc68aa654fd6015ad491bc9933eb64e6519a6f
b82e745ba015a055a095def48d56427a11d88ba4faddfa5bb46b1afbddb71511
0450f9017a4e7556c6bbfa5e69363ed935e11fa47efff5755b172103b3b59892
098e2e5d1fa98d106c36ed3e7e1e632afd7ae0e10442fa0dabf2f6ed8c9c18b5
517377e9b25075808b1192b4e85e09b19b739c1af884f5d87903cc2a7ca311e8
1b27ec5bcc09aeb96de7c80607af4b006dfd412c997e2d69f9f653504b7ddb89

SH256 hash:

9a91db783551302f1de84c5a721e2d5ef4bd911b2910993380452d1e2925cf04

MD5 hash:

fe33bcf2810a34783a78c3eaf851d4b8

SHA1 hash:

e8da5e570e3a8c31579a8005a27bdb8f3bb8263b

Link:

https://www.unpac.me/results/9498ca56-4cdc-437b-bce8-33125180ee9c/

SH256 hash:

ab38ae826d829e56a2d85c51f9bb29c8b03cd5e2dcb1bc26042e303428ea1597

MD5 hash:

82a0b536de20cc913e21a1986ab63bdb

SHA1 hash:

1888df21b12f53e6fd9fe3915bf2021c8ff7e38f

Link:

https://www.unpac.me/results/9498ca56-4cdc-437b-bce8-33125180ee9c/

SH256 hash:

098e2e5d1fa98d106c36ed3e7e1e632afd7ae0e10442fa0dabf2f6ed8c9c18b5

MD5 hash:

0074e3ea80dbccc795e03ac9e5ffb8b3

SHA1 hash:

0d11d85a0cf13637a7f56a3b6b4417f5b4d23f3b

Link:

https://www.unpac.me/results/9498ca56-4cdc-437b-bce8-33125180ee9c/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/098e2e5d1fa9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/098e2e5d1fa98d106c36ed3e7e1e632afd7ae0e10442fa0dabf2f6ed8c9c18b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/220976/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample