MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534
SHA3-384 hash: 5a13cdf813d8eabc0f43f5dc5a22621402fd5c4e893ca63994f362044807bb01c128a6f1c22b679e0b541842c108cedb
SHA1 hash: f32583503a9b5861c53024b848ec16bf793f9a01
MD5 hash: 2219442c3227ffa9ada120bb9fe9eb6a
humanhash: victor-zulu-king-fruit
File name:Pending DHL Shipment Notification REF 81621.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'181'696 bytes
First seen:2021-08-16 11:04:07 UTC
Last seen:2021-08-16 11:44:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:xoDSFYqblhB9Zqia9E7d0h0daaGKujU9ve3haTsD:5yC19ZqbEx0hcHpyhUs
Threatray 7'846 similar samples on MalwareBazaar
TLSH T1A745E73916B82B27E079E325E6E54417B3E0A45FB225ED59BCCE07A70206F4265C733E
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pending DHL Shipment Notification REF 81621.exe
Verdict:
Malicious activity
Analysis date:
2021-08-16 11:09:10 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/131a78e0-25f0-4271-ac1b-ef918c568c52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179497/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.998.4795.13212.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fc3eaaad-c43f-4a1c-a061-c8a4412f25de
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833435
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: SAM Dump to AppData
Sigma detected: Suspicious PowerShell Invocations - Specific
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465866 Sample: Pending DHL Shipment Notifi... Startdate: 16/08/2021 Architecture: WINDOWS Score: 100 34 www.portalcanaa.com 2->34 36 www.ahlstromclothes.com 2->36 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Yara detected AntiVM3 2->46 48 7 other signatures 2->48 11 Pending DHL Shipment Notification REF 81621.exe 3 2->11         started        signatures3 process4 signatures5 56 Injects a PE file into a foreign processes 11->56 14 Pending DHL Shipment Notification REF 81621.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.yhk868.com 108.166.197.72, 49738, 80 MULTA-ASN1US United States 17->28 30 www.0898htt.com 23.82.228.157, 49746, 80 LEASEWEB-USA-SEA-10US United States 17->30 32 7 other IPs or domains 17->32 38 System process connects to network (likely due to code injection or exploit) 17->38 40 Performs DNS queries to domains with low reputation 17->40 21 systray.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 11:05:09 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bsyepx3lpiw7kwlsytjtwxiqwui7ob7tbedvcpyhx5nofqdq2u2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
016e6200c368ec7e158572673568037338e92642721c8e543a01571fd0ee2571
Formbook
132167fd6c334c13919991a82a38645572a9d58c5f83cb1ddf0fcf41e37d2105
Formbook
3cec9bd714745b020366af9537184c619794ef4dee36c99093f53b243c97dcc1
Formbook
435b924af18dce67e3fbc2b55fc515b839fe883da2e10fd3c8c21859a1181d64
Formbook
6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
Formbook
8bd8e7edfd64f242eec8ebeaf0a473152c0f52de8f0318f8bcacf98326e0405a
Formbook
b2c2371d92995eb349a4d6be53af3c42798af56b94f59adf1d765d2905fd5871
Formbook
fa7a3ac64a6c26f248d805abfb0961bfe6518df6dcb3212de51593b92d5e4158
Formbook
+ 7'836 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ssee loader rat suricata
Link:
https://tria.ge/reports/210816-3rhntejwbe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.idt-metrofireandsecurity.com/ssee/
Unpacked files
SH256 hash:
fe4ed2a81e8d978e5af169b4144f115f27e039f4d56f627ec25dcdf3468bc1ef
MD5 hash:
84869db9efc28228fd5932c0a33a9aac
SHA1 hash:
33b9d49e3eb86dbd7b9bac6b2580bc69d251b611
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/40618a65-36b5-4804-8e94-0185fcc0198c/
Parent samples :
1c49c90dceca146ee0b95fab3873e38bcda5b46b550a59f8ba2ccf5984a11b92
fa7a3ac64a6c26f248d805abfb0961bfe6518df6dcb3212de51593b92d5e4158
435b924af18dce67e3fbc2b55fc515b839fe883da2e10fd3c8c21859a1181d64
132167fd6c334c13919991a82a38645572a9d58c5f83cb1ddf0fcf41e37d2105
0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534
9744a8f624cc86bce830db5caf4a5a8b2263b51f53ca384908b2557e5f9ce99d
7f0599ad186f76d0d5ae5daf5e713747281b1b631bfef0cb340b2977ed53d253
71d1fda394f185684d721f59017634f981e972964f1b4c23366fa28c1da4307f
366b6d23b6e536c3b8bd769edbebc2e7dc26e38e75ac85a32a7b4512f585b68f
f7c1ecf2c6e90d8a9a0ac0972b0ab02ca809a85da65d51b46f56a4c81cc4996e
aba30cfb1f3ce3760e9cbd42f49cafa3582d349d690f1ee91674e2998f4b290e
ac57d8cb242185bd11b7b0ab898c06f7904e0e0a0d9c39edd3b136c902bf394a
69a08fcc2b3eb5499a9356a801bb646d7726dc158cba7f141335997f374ead38
a73336c8fc448bd54031998ad8cbda50f452c3c8a1600623a43e07ce6476b3d5
b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca
2465cbd2ae3adb04f06a069fef61acc098096ef1f33cece8076d059b106f7b3a
63abf2ffa58c2c36920a2be604c77ac2a25b2bd5d1d6ba9d81338da21418ff10
e426d0d32845bb665740831128bcb5109a588544acf73317f5ee3bce6e5f486f
42c496ed24bc4b1abd0d647105d7931b9b18b9ce638550dcc5e96fa0cd69dc4c
a9d0de4abec8a5d9f13b203b8f4bcc0dcd101fb5f5f89ea910414d4cc16391ab
169a316f9557b3a154c1cbc1ab4aae2b690d71fd197ff39ac77e58c7e7db4196
fdd78bbf6d05b69fbdcaa24727822f1ec7e9b652266ac34ed69916537e6aeff2
ee5ab13a8694e1883f2e4f1509580d2cd01b6041ef78da9e1524f8b4eaee6ed5
c221c9dcc6e6a5c53181b072958ebe173ac1781861fb1d95ed1734def6322972
b5821114ae6e03e71fa7cc2dc293aa7f8a5563ebb4a2151194b2acb9eed4758d
61364951cb7faf165eaadcb66f8e124a689f5f298ec5f2d9539206904d1194b8
1fad173e519f8c7cb34093e926807794765789e79d377e89ffe201ae8d76dd99
13c385c3a7e1297c506764e1b956a5aa568590389356140c92e2a2cb953bffe5
6ec3a910864aa91b0bec91275ffc3ef7e3dcc0e1c7f247624514b1c9d4c16992
9dbcb6d140d0fd1db131b3f086eb8ee6dc9d0dcdd325f36b48aea1495408e2a2
91a28bbaaaed3acd39f0c37cf091e0a4e3a54ac5f00b4c26c5d3af44c9bc3fb3
cb32d42bcbcc716d12c9926bd3aab2def79f4dc2774f2f04234d95b2b4849e86
def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/40618a65-36b5-4804-8e94-0185fcc0198c/
SH256 hash:
de6f0667b6438ce74ddadea7f7f27a6ad3ba2ce6a127b22ef2d16b39af341d4a
MD5 hash:
044861aef8c70071df1216a389eb17a7
SHA1 hash:
0642e5d74997ff14e7a8181f2367700f6f38b3f1
Link:
https://www.unpac.me/results/40618a65-36b5-4804-8e94-0185fcc0198c/
SH256 hash:
0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534
MD5 hash:
2219442c3227ffa9ada120bb9fe9eb6a
SHA1 hash:
f32583503a9b5861c53024b848ec16bf793f9a01
Link:
https://www.unpac.me/results/40618a65-36b5-4804-8e94-0185fcc0198c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/179497/

Comments