MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e127318c1ce80a94092d002caa752b9e4a8c0ad1c8c86953389ba05b9b24eb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e127318c1ce80a94092d002caa752b9e4a8c0ad1c8c86953389ba05b9b24eb2
SHA3-384 hash: df99b2ba8b876529e239c1255472343251658c24bc1c2b92efad8f70f05f593372efb2a1d42c9d9e694b53972ac6ea64
SHA1 hash: 404ec60fab7781ebf7e2a86ce02b3dd81a9be5a0
MD5 hash: 3c8bc6926d2aa35e99c8c5e17ab20f24
humanhash: failed-massachusetts-ohio-west
File name:DHL shipment doc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:932'864 bytes
First seen:2022-12-12 16:57:14 UTC
Last seen:2022-12-12 18:30:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:LAStSg5EyldXvv9nEHBJD2v0LQ6YVNZ0mhra1jzXKxXGiI:84SgddXv1EHBJD2MLBYbZdra1n6gi
TLSH T18B156B2CEBDCE6B9EFE7BAD6062A6FC00556E5C81E83F195893F71AD0D10210F106D96
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL shipment doc.exe
Verdict:
Suspicious activity
Analysis date:
2022-12-12 17:00:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6855ad6a-f270-452a-89a0-fda4823f9f0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/345541/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.738.19292.13626.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63975d9b485d8463dc4143eb/reports/e4c6fcbe-01b2-45fc-9efa-f5be6d379966/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d5307f9-2843-4472-881c-11d49cd93352
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1133014
Signature
Deletes itself after installation
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 765736 Sample: DHL shipment doc.exe Startdate: 12/12/2022 Architecture: WINDOWS Score: 100 29 Malicious sample detected (through community Yara rule) 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected AntiVM3 2->33 35 2 other signatures 2->35 8 DHL shipment doc.exe 3 2->8         started        process3 file4 21 C:\Users\user\...\DHL shipment doc.exe.log, ASCII 8->21 dropped 11 DHL shipment doc.exe 8->11         started        process5 signatures6 45 Modifies the context of a thread in another process (thread injection) 11->45 47 Maps a DLL or memory area into another process 11->47 49 Sample uses process hollowing technique 11->49 51 Queues an APC in another process (thread injection) 11->51 14 explorer.exe 11->14 injected process7 dnsIp8 23 088-356.com 185.224.170.82, 49697, 49698, 80 PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL Netherlands 14->23 25 www.waishow.website 69.57.163.159, 49699, 49700, 80 FORTRESSITXUS United States 14->25 27 2 other IPs or domains 14->27 53 System process connects to network (likely due to code injection or exploit) 14->53 18 WWAHost.exe 13 14->18         started        signatures9 process10 signatures11 37 Tries to steal Mail credentials (via file / registry access) 18->37 39 Tries to harvest and steal browser information (history, passwords, etc) 18->39 41 Deletes itself after installation 18->41 43 2 other signatures 18->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e127318c1ce80a94092d002caa752b9e4a8c0ad1c8c86953389ba05b9b24eb2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 16:58:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dyjhgggbz2aksqes2abmvj2sxhskrqfndsginfjtrg5alonsj2za._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/221212-vgt89abh65/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4897b262-be52-4790-9435-aad1288596e5
Unpacked files
SH256 hash:
c9aa4c9150f58234fd5feff9142434e919e36aec267f208cfc16d6ca3d42a96d
MD5 hash:
30ff67b5489bc8364a0e2e5b5035cd68
SHA1 hash:
76cdc482ce820f5889429653f76f20f8f022de84
Detections:
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e6581a88-ae87-44b0-8d94-cda7bb1be78a/
Parent samples :
1e127318c1ce80a94092d002caa752b9e4a8c0ad1c8c86953389ba05b9b24eb2
74f7661ce543ece586c81b95a2ee3174ca65e17369a90bb6522aa1cd34524754
0c99ac0f354ca12ab65c083c65b5d82ee242f9dbc2e5bdc8d9354959d655af52
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
1200bb8db6fa441d0e9a752853cdc84841988a5e75510813d648153402e31955
9d1ee961410bd91109f256fa8d0976d53e2c317e8ef55ad244063adf7865afe1
f9ffa58b5dd142b4f6e87a1c7fb8915a1d2054c5ffeda62eab078c8f5b1ef644
8e994310a20708fa820e03c6fb82e0b73c55cd0dc0c703bb0e44d4ed67c30567
61977941b6ece2c52ebec3b2d38b4e3f4b1d4713bd6b3ddb0f0405351e2adce7
SH256 hash:
44025022362169baa09442690969ab14bfc9dbd65b2cab6f6c963aa247706391
MD5 hash:
e0fc6615a88b2a263cb9e418abcbb612
SHA1 hash:
b774b2590170b49031a85b2873a80127392e0fab
Link:
https://www.unpac.me/results/e6581a88-ae87-44b0-8d94-cda7bb1be78a/
SH256 hash:
be026d8a23b3df1bf24e1b8ebc7f2766b6cfe644eb3fbd0de4adda15a08d81ce
MD5 hash:
446663f4b4bee2c3dcf500f54b060417
SHA1 hash:
ac902b7383c427c3daaf3d42e91e705a98a6271f
Link:
https://www.unpac.me/results/e6581a88-ae87-44b0-8d94-cda7bb1be78a/
SH256 hash:
9474135d85a44b9592e70bcd3f44f0b38b876e9c4071cb241e7d9d04eedf8400
MD5 hash:
9c26d27025a0a3e39904c5f8f7b9cc52
SHA1 hash:
68a82997ec8a28981d8532ce3c08a64df9e153b7
Link:
https://www.unpac.me/results/e6581a88-ae87-44b0-8d94-cda7bb1be78a/
SH256 hash:
922915132a628d0050bf03a473370544dde3323627fb4adcba3f1ba869537e50
MD5 hash:
1ecb63625d636b0b8f8ebdece9fa80c3
SHA1 hash:
5623d5ad21fc63893011bae7e4709c51219fcc1c
Link:
https://www.unpac.me/results/e6581a88-ae87-44b0-8d94-cda7bb1be78a/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/e6581a88-ae87-44b0-8d94-cda7bb1be78a/
SH256 hash:
1e127318c1ce80a94092d002caa752b9e4a8c0ad1c8c86953389ba05b9b24eb2
MD5 hash:
3c8bc6926d2aa35e99c8c5e17ab20f24
SHA1 hash:
404ec60fab7781ebf7e2a86ce02b3dd81a9be5a0
Link:
https://www.unpac.me/results/e6581a88-ae87-44b0-8d94-cda7bb1be78a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/1e127318c1ce80a94092d002caa752b9e4a8c0ad1c8c86953389ba05b9b24eb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/345541/

Comments