MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 220d35d385349e3abbaece7585c05e1caa1a7bf9117aafae75c72b94e116ceab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 220d35d385349e3abbaece7585c05e1caa1a7bf9117aafae75c72b94e116ceab
SHA3-384 hash: df13cc3789bcc63044c5ea0df7aed256d1d035c3d7e3e05e557f1464099bea4c8f16904efb832aa8ed081c80a51af458
SHA1 hash: cb43c834d977c1d1b9dfbafd471f94a5ec424aab
MD5 hash: 41d3336d41333acbd7612f8967bb27bb
humanhash: tennis-oven-hamper-november
File name:DHL consignment number 8801995460.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:623'104 bytes
First seen:2023-11-13 06:50:28 UTC
Last seen:2023-11-13 08:22:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:fc1xgi+bLzeEjzCf5cS5hDaVQb9N4VrnmUUriDY7JRYR:+K3vEqS5h2VQoVzUrsYFR
TLSH T1E6D422D037EAFF24E66C07F924A141150BF1921E2483EA4C5FD2A9CE5FB67044A94FA7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00a282a2a282a200 (17 x Formbook, 11 x AgentTesla, 4 x SnakeKeylogger)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458295/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.11849.8165.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6551c75f641154c7e3f5131c/reports/e8a66b3d-d249-4ff1-8d69-48e5879ba893/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/220d35d385349e3abbaece7585c05e1caa1a7bf9117aafae75c72b94e116ceab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12c2ab3c-2879-44b6-bac5-6453a82b34b9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1341539
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1341539 Sample: DHL_consignment_number_8801... Startdate: 13/11/2023 Architecture: WINDOWS Score: 92 20 Malicious sample detected (through community Yara rule) 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 4 other signatures 2->26 7 DHL_consignment_number_8801995460.exe 3 2->7         started        process3 signatures4 28 Injects a PE file into a foreign processes 7->28 10 DHL_consignment_number_8801995460.exe 7->10         started        12 DHL_consignment_number_8801995460.exe 7->12         started        14 DHL_consignment_number_8801995460.exe 7->14         started        16 DHL_consignment_number_8801995460.exe 7->16         started        process5 process6 18 WerFault.exe 21 16 10->18         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/220d35d385349e3abbaece7585c05e1caa1a7bf9117aafae75c72b94e116ceab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/220d35d385349e3abbaece7585c05e1caa1a7bf9117aafae75c72b94e116ceab/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-11-13 02:26:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eigtlu4fgspdvo5ozz2ylqc6dsvbu67zcf5k7ltvy4vzjyiwz2vq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231113-hmhfesah9t/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
c8f9c3385d64a970f7df88314135683a49498349305832bbe82e34d38d2d7324
MD5 hash:
46d9ee8f5276edf2717401b6a50970cb
SHA1 hash:
39c80b49ef97189e8931797f06e3179667fd88c6
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/4646f242-f792-4441-a028-ae9d519fea6e/
Parent samples :
3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9
1cc327be5ca8d7bd4cd244e9cd90454611559df4e971c3bd6649682413582c1e
b907644a3bb4a1b9c09a952057ab8c9bcc7111e2e918115cdff09735181ea6a3
98960970f0139ec424e7fca3946aaa1bcfaf853996d1ee9eb72966f750a81136
c17b3e778d12a1b353c665515c1de44df04d6172f0448b62c9cf6dd9e44bb6ca
220d35d385349e3abbaece7585c05e1caa1a7bf9117aafae75c72b94e116ceab
SH256 hash:
d05893b7f6f8e80de00ec14432669d61fcc0e3e84d1a8235e6c9207a2fecc650
MD5 hash:
5fbe5d27b6cbcb98066b83b977bcf634
SHA1 hash:
bfe5828699cc8d7b30f878dfbc3c3d803b9ef138
Link:
https://www.unpac.me/results/4646f242-f792-4441-a028-ae9d519fea6e/
SH256 hash:
2a16bd3d9ad8cc8b608195a117c45d303d284219e0ee40d0928553301211a9b8
MD5 hash:
74c639f476b2f613c981076895da5ab1
SHA1 hash:
d4f627fc4949a9a4d780c92fbb8d6d7fdfdab21f
Link:
https://www.unpac.me/results/4646f242-f792-4441-a028-ae9d519fea6e/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/4646f242-f792-4441-a028-ae9d519fea6e/
SH256 hash:
62757af7ce2dcfe188245dd26d85e233c2ded82311c600c7c8ec83c8c8a071b2
MD5 hash:
804cc8416b7db140f03d251ca3abbf00
SHA1 hash:
1a1160f7db639606a1046b555b08a43035aff960
Link:
https://www.unpac.me/results/4646f242-f792-4441-a028-ae9d519fea6e/
SH256 hash:
010c1a4f5c85063dcf95c7975752c8a2fd6e355c8fd9fe52acccf671a18d8e7e
MD5 hash:
ec8e2bca09462d9ddc7ac34bf9317459
SHA1 hash:
bd03ef3f36988796f338a415b1cd5687bba76513
Link:
https://www.unpac.me/results/4646f242-f792-4441-a028-ae9d519fea6e/
SH256 hash:
016986356111c9444d0e5c0a4a7790f5e4f587da7e0f49ba2ccda38692be430e
MD5 hash:
92fe091c8c331c86c5209d90f5d9a6d1
SHA1 hash:
b6a83bbe3d9b8dd88de6f62894234b5077326ad2
Link:
https://www.unpac.me/results/4646f242-f792-4441-a028-ae9d519fea6e/
SH256 hash:
1e5b50423d5063d1ca3bca6d9a0478e93fd715b3ed54acea1347e9ba597247b7
MD5 hash:
7fc5329396b78992e595a688cfe5a613
SHA1 hash:
723b9815ea56bef4f08bf7dbd6c381bf7b22a2ae
Link:
https://www.unpac.me/results/4646f242-f792-4441-a028-ae9d519fea6e/
SH256 hash:
c9dc570c44cfa053bc205061f28e1e27b9088058d4a9ea1bdc5fe81269a9750a
MD5 hash:
b08255511ad91dfeb810a9f52a626127
SHA1 hash:
5081ab6e496715d1d01b3ba3b2b2596b2ad382e5
Link:
https://www.unpac.me/results/4646f242-f792-4441-a028-ae9d519fea6e/
SH256 hash:
d6c88ad4ab27f78ec082dec61678ca3e30b31ca2718511e19cecfb5fda6029d7
MD5 hash:
a1916dc0b8417c732f821f415d01d8b9
SHA1 hash:
352360c8aa92891cf59a2690abde3da29a61cddd
Link:
https://www.unpac.me/results/4646f242-f792-4441-a028-ae9d519fea6e/
SH256 hash:
e019f473a63200c18b57cf254aa81449c0081cd3f606be939bdbfd1036d897da
MD5 hash:
b5df22274699f602c1eb7892b93044cf
SHA1 hash:
2cb587a131042cdab1717e4ac9a4b601b7aca57a
Link:
https://www.unpac.me/results/4646f242-f792-4441-a028-ae9d519fea6e/
SH256 hash:
220d35d385349e3abbaece7585c05e1caa1a7bf9117aafae75c72b94e116ceab
MD5 hash:
41d3336d41333acbd7612f8967bb27bb
SHA1 hash:
cb43c834d977c1d1b9dfbafd471f94a5ec424aab
Link:
https://www.unpac.me/results/4646f242-f792-4441-a028-ae9d519fea6e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/220d35d38534/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 220d35d385349e3abbaece7585c05e1caa1a7bf9117aafae75c72b94e116ceab

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/458295/

Comments