MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11e4389a0963c995ed5af62f1a93e53198e880b6f39fc120b60a8d68312e232f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11e4389a0963c995ed5af62f1a93e53198e880b6f39fc120b60a8d68312e232f
SHA3-384 hash: 645c79b8635022850f33632e3383849cffa50ffc0472be6cff7f40ba19cde5b62f5efce00290a8b6e91f51a2a71d84d4
SHA1 hash: c335f6946aa83645cf679840688c15d6c670440f
MD5 hash: ef08c236d54c5b5678d2c57cd6dfd6fb
humanhash: idaho-diet-snake-florida
File name:DHL DOCUMENT.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:284'672 bytes
First seen:2020-06-22 06:45:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dd5f8b0707ceb863b351d3105c092df6 (8 x Formbook)
ssdeep 6144:FoH9MNLXrStAEie+11Ze88scpCgKvrIPXn9xK:2H9wD2+1q88/QNG9xK
Threatray 5'129 similar samples on MalwareBazaar
TLSH 5154E16674998A72E013517DC83ED8034D6ABC2F91B1415B3BE425BFBB70E805EAB713
Reporter abuse_ch
Tags:DHL exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: hwsrv-743276.hostwindsdns.com
Sending IP: 23.254.231.29
From: DHL DELIVERY SERVICES <jr@vimi.pw>
Subject: DHL Shipment Notification Ref ID: 4653179812
Attachment: DHL DOCUMENT.PDF.r00 (contains "DHL DOCUMENT.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12407/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/11e4389a0963c995ed5af62f1a93e53198e880b6f39fc120b60a8d68312e232f/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-21 22:13:03 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=chsdrgqjmpezl3k26yxrve7fggmorafw6op4cifwbkgwqmjoemxq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
trickbot
Create hunting rule
Similar samples:
03d585ea89f4e62bc18d42d1fadad0b02faca6d68c831e79fb542e9efd183f7a
FormBook
51ba9fa1830056b815cc4203b57ee4f46b26a5f7dd7f6a01066c94fb88bf8f01
FormBook
620e100a8454a1fe2978e299f7b591c07589bf257bd2b1913c3b7ad601699e4b
FormBook
6e85d06aa422cfc42dafe910acf8de96a3224bc6eb8b5af7e7435c0881d7e7e6
FormBook
77168234eb706333e4835666a00a8fd8e110959660c97e5c5528ed3a3d0f5081
FormBook
9747bf43bd88474f148cdd3bd1a5a8ffa391c53ed7846e15fb5138190b73ecd8
FormBook
9bebd6b8400a02ec36958c8cf06d3abc659b462d482fca3df8a3a64e42b3e234
FormBook
9da0df6eb709cee7468a850c0b59914ca84eeace25bea74ed6d393e0e5e84737
FormBook
c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348
FormBook
ddf6f04276c1d976e62e199e6c928fb7a3d7aaec455a1859f8d8f605c89ffc64
FormBook
+ 5'119 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200624-4pd3wp5mkj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

07e4d9077a7edaed5dfa75a0411dcd8a

FormBook

Executable exe 11e4389a0963c995ed5af62f1a93e53198e880b6f39fc120b60a8d68312e232f

(this sample)

  
Dropped by
MD5 07e4d9077a7edaed5dfa75a0411dcd8a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12407/

Comments