MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21293dba237b25dfdbafe677d095c40a4590c0b16fa5f22728b768394aa1ee0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21293dba237b25dfdbafe677d095c40a4590c0b16fa5f22728b768394aa1ee0c
SHA3-384 hash: bc4807131e7de4d213d4efb4f37724afec3e927e33727abda85b4deb4d0c8eeea86fa388b70f7dc13d8fbcd9827bcb20
SHA1 hash: f04760183f3eeebaa53faf0f6443a975233ce28e
MD5 hash: 8d6192f22da742160ed5547a2323c97e
humanhash: crazy-jupiter-robin-sink
File name:DHL Shipment Notification 145336786.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:886'272 bytes
First seen:2021-07-08 02:24:18 UTC
Last seen:2021-07-08 07:43:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:jXpgUP6IL6H2AoeDZJnJBaUGgjJf43cUV3DM7mUuS8tyD+OILnerc6NsB3yc4hk:Fz+ZxJBa1IqbVr6NsdE
Threatray 6'345 similar samples on MalwareBazaar
TLSH T149155BBD7332659FDE6BD538C7742E2C4F1172BA920BB33A945770865488BC68E1243B
Reporter malwarelabnet
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Shipment Notification 145336786.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 02:26:07 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/e543c271-c02e-4fa5-856a-6e478dd6923d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170329/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.908-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6e7b0ad-ce92-43b2-bd04-8ed4ba154093
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813228
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445639 Sample: DHL Shipment Notification  ... Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 7 other signatures 2->40 10 DHL Shipment Notification  145336786.exe 3 2->10         started        process3 file4 28 DHL Shipment Notif...  145336786.exe.log, ASCII 10->28 dropped 50 Injects a PE file into a foreign processes 10->50 14 DHL Shipment Notification  145336786.exe 10->14         started        signatures5 process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 14->52 54 Maps a DLL or memory area into another process 14->54 56 Sample uses process hollowing technique 14->56 58 Queues an APC in another process (thread injection) 14->58 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.savvydevice.com 17->30 32 savvydevice.com 34.102.136.180, 49747, 80 GOOGLEUS United States 17->32 42 System process connects to network (likely due to code injection or exploit) 17->42 21 svchost.exe 17->21         started        signatures10 process11 signatures12 44 Modifies the context of a thread in another process (thread injection) 21->44 46 Maps a DLL or memory area into another process 21->46 48 Tries to detect virtualization through RDTSC time measurements 21->48 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/21293dba237b25dfdbafe677d095c40a4590c0b16fa5f22728b768394aa1ee0c/
Threat name:
ByteCode-MSIL.Trojan.Ursu
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 01:08:41 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eeut3ordpms57w5p4z35bfoebjczbqfrn6s7ejziw5udssvb5yga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0726096c82c2c643c7de2ed48533e0a545e71f2294433cd7df473aebe9f17681
Formbook
36262c0543ba3fb3354a3786c2fbaba5e3a407678caf077bc6a99d5795fc73f0
Formbook
74743d6468cedf3e66f1171ef32981dca4fb211b3fd7be519045fc42b077ced2
Formbook
932d535ab92b682eff0f74322211abd760021a9003d18b953e7226a6ebc38902
Formbook
d243b48aff13e467981e04d6eb1c0dcba8e50dc01a670f280e59bc96e59f6719
Formbook
d654d8728cd5b7c24ac8b82f7fbc6e7429b46fdb57bb384534242ca4e5a5043a
Formbook
d71f2defd3e3aa48697681a732a8c5ce8df75479b65953ba3063e028fc3d9116
Formbook
f49cfcb35472df4416a15ef2fdb156eef71e8b483d39811c19ed61d804af1da4
Formbook
f8c3b9a8f01e022158ef5f9bc6d69287b6b03ce5527f7ac911de25dcdc016569
Formbook
fb6e849cd3af7e8b0c8143397e62a595a42abbfbbac81f2cdd0b2cb4d18ea543
Formbook
+ 6'335 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210708-bz7ql3llaa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mistermott.com/iic6/
Unpacked files
SH256 hash:
e7371b456ec6d9f6610d6cc4427d3d5c79f3758c66578563b729833ae5a88968
MD5 hash:
08b0b91e3be4ef57fcd992d8beb6bf30
SHA1 hash:
a8c5fb06f89f598955eccdeb9d7bd8a0fd564095
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0ef8d9be-f64a-4ca0-90ed-9e970428e95d/
Parent samples :
d654d8728cd5b7c24ac8b82f7fbc6e7429b46fdb57bb384534242ca4e5a5043a
f49cfcb35472df4416a15ef2fdb156eef71e8b483d39811c19ed61d804af1da4
36262c0543ba3fb3354a3786c2fbaba5e3a407678caf077bc6a99d5795fc73f0
d71f2defd3e3aa48697681a732a8c5ce8df75479b65953ba3063e028fc3d9116
21293dba237b25dfdbafe677d095c40a4590c0b16fa5f22728b768394aa1ee0c
SH256 hash:
e4b9a7b3896ac313ab10b0585e30fffc8e7ccd84e35aa1d14a8c600e9939c7f1
MD5 hash:
1659946ebd7a061196b6d18743740c8d
SHA1 hash:
2be6671539b8f51f41f11f59faf86cbc52e27e13
Link:
https://www.unpac.me/results/0ef8d9be-f64a-4ca0-90ed-9e970428e95d/
SH256 hash:
5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110
MD5 hash:
257ca10e5cbb2f8bdf0ae6f3e900e11e
SHA1 hash:
9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec
Link:
https://www.unpac.me/results/0ef8d9be-f64a-4ca0-90ed-9e970428e95d/
SH256 hash:
21293dba237b25dfdbafe677d095c40a4590c0b16fa5f22728b768394aa1ee0c
MD5 hash:
8d6192f22da742160ed5547a2323c97e
SHA1 hash:
f04760183f3eeebaa53faf0f6443a975233ce28e
Link:
https://www.unpac.me/results/0ef8d9be-f64a-4ca0-90ed-9e970428e95d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/21293dba237b25dfdbafe677d095c40a4590c0b16fa5f22728b768394aa1ee0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170329/

Comments