MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13c00bc290e406966253c9e54247a0532d765926887df502f20a6a7ce3544a65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13c00bc290e406966253c9e54247a0532d765926887df502f20a6a7ce3544a65
SHA3-384 hash: 1693e3acb4a99390b871eec4a6bf825e5da789ee0335ca030f868d50b389f7476f9b7e3cf8916cabebe4aff93d1e602a
SHA1 hash: 863e9bce8ccbc0e759a4bf55cf7252402b865716
MD5 hash: 3330868730ab42f212fe7c5ac6c75096
humanhash: zebra-venus-chicken-lamp
File name:Documento de recibo de DHL AWB_#2067498,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:969'216 bytes
First seen:2022-09-07 10:02:33 UTC
Last seen:2022-09-07 10:49:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:sSEBcveBc2DeziVcba+HZfBGtY8kQl6II61i3ur8+WaM450zSLA+k49lylSx1:pRF2DwDba+BANkQl6XINPMccSE+k4l
Threatray 18'222 similar samples on MalwareBazaar
TLSH T12E25BF1529CCAFB0E4399B309463542843F3BC13AB15D6AD7EC7387D98F2A81E963647
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00870d1848c4cc20 (27 x RemcosRAT, 6 x Formbook, 1 x NanoCore)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Documento de recibo de DHL AWB_#2067498,pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-09-07 10:04:10 UTC
Tags:
formbook
Link:
https://app.any.run/tasks/3a01b94b-2276-45ef-8322-7b1e45067a73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308416/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.42077.15432.28811.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Launching the process to change network settings
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63186d0ee73fb79b7afd4a35/reports/fc38e7a1-926f-4def-bfa4-e944e58c5754/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d16d83c3-f544-48bd-ab67-14de29494b66
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1066591
Signature
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/13c00bc290e406966253c9e54247a0532d765926887df502f20a6a7ce3544a65/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 17:16:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
56
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cpaaxquq4qdjmystzhsuer5akmwxmwjgrb67kaxsbjvhzy2ujjsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
15eb688bffed96b0b324724e48b258dc6c6deb76d71310b26b01e1e12f26108c
Formbook
240af737f08b41b9fb0b540653951b5b9b7c4459ad86a88e1ee33918f757f573
Formbook
3ca280d2c5ee9398048047d72c785b1927a7a09c1d4a637737b1d3902587f948
Formbook
4bbb39fcbea555b2ff359c3422f1058dcebd8e4cf0ae68d3b05f2198d57db9a8
Formbook
66e023153783841c82581216957c689782313b971b270bf48f1ec3bc1885d3e4
Formbook
7f0d2570e95993562f659f45e635df91b3155a8c220bc1b859f1cf838bb66278
Formbook
8277159c5821b9c8c699fba65eb77532da18b0de22d6052d0fdc3377f9732fe4
Formbook
83706cb8ae1132981fc4b5fbbd44e8433e5456d21fd0baf1c819998074b5fd25
Formbook
f5e4fe8ba1f482c650dfe0122078475da2330edf2a0bab3357ff071d27fa1a36
Formbook
fc15ab19130fccdae7dee477e0ae6d711fe3492cbac1b7e5d472eae4902f9516
Formbook
+ 18'212 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220907-l3crnabfg8/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
5f0a8fb99dbe62aafc33836318bb8a6a5e1004f94b21a180daa662503a5c3089
MD5 hash:
b3a4a7848838292841b5d441a50db649
SHA1 hash:
ee043785c3f794aa5dd9872372f0e4feeebf7f83
Detections:
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/43419b11-5cd5-4430-ac54-0faeaa258430/
Parent samples :
13c00bc290e406966253c9e54247a0532d765926887df502f20a6a7ce3544a65
9e42f2ef4b7751e719a0496c372104cd3929a6a8a0e9b8d273ad0175d86cfd67
3c933007d33dcea4eafb81ba9e29ef5c4cdbda2360266cd27442218f2b91e58e
99362f4e3e31be7018b14e4ba3ca7fd22c7a8c3953cd64ef42d9db6e22f2f361
4b0c9687e2404152643dbac78f4adfd8350095b9d465cb64b60de1ff70d3e651
SH256 hash:
e4ab8392bbae038f7354a4307753ba802fb383134ce195594fc94776b6f27c43
MD5 hash:
4dde67d9892ca520e658c900d59f3856
SHA1 hash:
6a05bcef01cb755c4948bc16286a5c237ff5d704
Link:
https://www.unpac.me/results/43419b11-5cd5-4430-ac54-0faeaa258430/
SH256 hash:
4b84bdf968ffd8b87244dc25119ef167dc9ef4bc6469f981befbc785b9005fba
MD5 hash:
7d9d4cbf33187757356ab937df6348d2
SHA1 hash:
b9d0892e42990d06b543dab1a9c3041a34474294
Link:
https://www.unpac.me/results/43419b11-5cd5-4430-ac54-0faeaa258430/
SH256 hash:
4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde
MD5 hash:
f4ba8570299eabf8fe2d02cc1dc0606a
SHA1 hash:
5d7add32313074f5a1e9b4ab379298dee8b6217e
Link:
https://www.unpac.me/results/43419b11-5cd5-4430-ac54-0faeaa258430/
SH256 hash:
13c00bc290e406966253c9e54247a0532d765926887df502f20a6a7ce3544a65
MD5 hash:
3330868730ab42f212fe7c5ac6c75096
SHA1 hash:
863e9bce8ccbc0e759a4bf55cf7252402b865716
Link:
https://www.unpac.me/results/43419b11-5cd5-4430-ac54-0faeaa258430/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/13c00bc290e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/13c00bc290e406966253c9e54247a0532d765926887df502f20a6a7ce3544a65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 13c00bc290e406966253c9e54247a0532d765926887df502f20a6a7ce3544a65

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/308416/

Comments