MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ebd7f2342b476608315fc5ef48bc17f0384306094db09179e55af8b5b87e64f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ebd7f2342b476608315fc5ef48bc17f0384306094db09179e55af8b5b87e64f
SHA3-384 hash: a5b1a0f515e2d92909969975a651be1e6f7a66a0397cdb3a42cbe534bcdeeb586390a5912eaf92cff06e70ffe6ec2e89
SHA1 hash: f62819be97b92e6fc7163341db881f856ad69e43
MD5 hash: 6c1f569d45b8746be9ded2370fcc870e
humanhash: avocado-william-massachusetts-nevada
File name:DHL Express Service.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:856'064 bytes
First seen:2021-04-26 05:29:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:tuPl9UbkzrzkO4YHYL8OEvIz0yx+2iFXNMGFNznVPEa8YVABvKF3+FTYrl2QA:mU6Ilx2ZEDY+BvKdOGl2
Threatray 4'677 similar samples on MalwareBazaar
TLSH 4B052302239CF726D5BE6BBA06A0714007F1BA03A36BEF4DAECB54E90557F085B45F16
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Express Service.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-26 05:42:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bbbbe6b8-c4cd-4666-bb21-2d805bbe0010

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144159/
Detection(s):
SecuriteInfo.com.Malware.AI.1537019893.13137.14018.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697507
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 397680 Sample: DHL Express Service.exe Startdate: 26/04/2021 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 9 other signatures 2->46 10 DHL Express Service.exe 3 2->10         started        process3 file4 32 C:\Users\user\...\DHL Express Service.exe.log, ASCII 10->32 dropped 56 Injects a PE file into a foreign processes 10->56 14 DHL Express Service.exe 10->14         started        17 DHL Express Service.exe 10->17         started        19 DHL Express Service.exe 10->19         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 21 explorer.exe 14->21 injected process8 dnsIp9 34 www.frisdrank.deals 188.93.150.107, 49734, 80 SIGNET-ASSignetBVNL Netherlands 21->34 36 www.omvvv.com 154.86.241.165, 49740, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 21->36 38 2 other IPs or domains 21->38 48 System process connects to network (likely due to code injection or exploit) 21->48 25 mstsc.exe 21->25         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 25->50 52 Maps a DLL or memory area into another process 25->52 54 Tries to detect virtualization through RDTSC time measurements 25->54 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0ebd7f2342b476608315fc5ef48bc17f0384306094db09179e55af8b5b87e64f/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-04-26 04:40:34 UTC
AV detection:
5 of 47 (10.64%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b26x6i2cwr3gbayv7rppjc6bp4byimdastnqsf46kwxyww4h4zhq._file
Verdict:
malicious
Similar samples:
06468ea1dc2797e282fadf08ce089550b3f4f665277c65889106e9d33ed61239
Formbook
144ba78ed9c55be4ae5cf35ce9dfa6ee728c8e3eec6ae24e86b63b16c259d772
Formbook
770710adcc9c97316e0f43dcc99ef1561dfe8ec086a1514d4c3d7d0d90b24181
Formbook
8f6fcbc62fb32a19196119ccaa6e45a5eabb8ed2aad233e5ea910dd3e6bde421
Formbook
9f1090c3e94e75b134c1aa55b5e8e2b6ac9b706cd27e0bb1cc44ef4b49f27c66
Formbook
9fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d
Formbook
d68888aa1e155ac65bd1ddabcf05f61bfff65f79a11cc0ee099200c3da8c5d35
Formbook
ee0a32169adde722c5652fb40046d8251fa8a89ce615a637ed5708372af0d163
Formbook
f3147300f9248e07ffd3a1b7131bed4febad8b0a88eeda27e606f36d04ff1340
Formbook
f8c3b9a8f01e022158ef5f9bc6d69287b6b03ce5527f7ac911de25dcdc016569
Formbook
+ 4'667 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210426-s1bgyy6jvj/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.c-voyageinc.com/r4ei/
Unpacked files
SH256 hash:
e90a19eba5f2de3ba82f652221105bb0682b07c20abddec487c6f4354ea79c39
MD5 hash:
efb0de4397ea61e17d262e278b53ff86
SHA1 hash:
727fdf2ceb13262d56bdda24a02564fb3e80c8b0
Link:
https://www.unpac.me/results/f0cd6084-9de8-4365-9609-845a4a304952/
SH256 hash:
0ebd7f2342b476608315fc5ef48bc17f0384306094db09179e55af8b5b87e64f
MD5 hash:
6c1f569d45b8746be9ded2370fcc870e
SHA1 hash:
f62819be97b92e6fc7163341db881f856ad69e43
Link:
https://www.unpac.me/results/f0cd6084-9de8-4365-9609-845a4a304952/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ebd7f2342b476608315fc5ef48bc17f0384306094db09179e55af8b5b87e64f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144159/

Comments