MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22976d85639b00522de9050cb1178a85e14f7ebfa744a55383e4a56cdb21873f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22976d85639b00522de9050cb1178a85e14f7ebfa744a55383e4a56cdb21873f
SHA3-384 hash: 5d85fbd24f43ea33f900532dac59c1fd90c7b90c5eecb3c9b2ba7294c6a2717277778816ad8eb728b06b49de9678871f
SHA1 hash: 5ebbc752e2ef8e0de23642d09eaef9f46308248d
MD5 hash: 187e3680b6859c4d059948b0a9e9a816
humanhash: winter-indigo-lion-vermont
File name:DHL AWB 4500028900.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:719'360 bytes
First seen:2023-08-12 07:46:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ed0zBICR0US9FrUcub/iRc3UsXmfXMN9f4fUAFws8Tt+NlqTjN:EeiCmUkFcBv/f6FwnY+TjN
Threatray 3'616 similar samples on MalwareBazaar
TLSH T162E4CF60EE38DE82E54F4B79108FC70E8271584A3626C63A6AAB51C5D4877C206DF7DF
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL AWB 4500028900.exe
Verdict:
No threats detected
Analysis date:
2023-08-12 07:50:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b8c25abf-c5ce-44dd-82f1-d6d597694984

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442324/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Restart of the analyzed sample
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/22976d85639b00522de9050cb1178a85e14f7ebfa744a55383e4a56cdb21873f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/847bdf57-282b-4d09-b28b-40be4469584a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290427
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Deletes itself after installation
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1290427 Sample: DHL_AWB_4500028900.exe Startdate: 12/08/2023 Architecture: WINDOWS Score: 100 28 www.studyingmarx.com 2->28 30 www.siantarcodesacademy.com 2->30 32 18 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 10 DHL_AWB_4500028900.exe 3 2->10         started        signatures3 process4 signatures5 60 Injects a PE file into a foreign processes 10->60 13 DHL_AWB_4500028900.exe 10->13         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 13->62 64 Maps a DLL or memory area into another process 13->64 66 Queues an APC in another process (thread injection) 13->66 16 RAVCpl64.exe 13->16 injected process8 signatures9 40 Sample uses process hollowing technique 16->40 19 msdt.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Deletes itself after installation 19->54 56 4 other signatures 19->56 22 explorer.exe 2 1 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 liftdetox-2023.com 162.241.61.94, 49975, 49976, 49977 UNIFIEDLAYER-AS-1US United States 22->34 36 www.studyingmarx.com 45.207.200.212, 80 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 22->36 38 11 other IPs or domains 22->38 58 System process connects to network (likely due to code injection or exploit) 22->58 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22976d85639b00522de9050cb1178a85e14f7ebfa744a55383e4a56cdb21873f/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-11 12:36:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eklw3bldtmafelpjauglcf4kqxqu67v7u5ckku4d4sswzwzbq47q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
2f77d3d54d53abf393f64e11d858760760953897f4d10025cc4816b9b8b87e6d
Formbook
4246ac35e29b03cf4057457231abf222b88bf64cd65b59d7dc79d35b1953372b
Formbook
5762d46e91e94d731bb4f1047a3d080b27be1b34d05236e8c8f24b24238545fd
Formbook
76c0b6dacffa84c683a078ee89c597f3997aac922c0fbac7e2fe1ae5c7748259
Formbook
a16bbcd964ae89f1cae59ed66c22f1009830c91db528215972952d97433bfb71
Formbook
a36813a35722d441ec430098be1f72cde0fb40c561ea21b858ba7c10516d62e4
Formbook
d38a6a6faeecb0d30b8d9a8d857e850f1f125dc1cfbe497899bd52695498bef5
Formbook
e993ad6ce52f0658ee9c8df04a56361bfa2a8c21d1e31673f798e470caba554e
Formbook
+ 3'606 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230812-jmj5pacg3y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
7730ae17d9d094aff519f1ac8773cc626649d4f5cb207f761f4d149b82dc0487
MD5 hash:
1d8af0632a56700f4b2059357ce10512
SHA1 hash:
c704dcd56d5a56b765c4c6a0e4104ba5907fb0ff
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5676b862-b991-43d6-8ed3-4e671f9199ea/
Parent samples :
a36813a35722d441ec430098be1f72cde0fb40c561ea21b858ba7c10516d62e4
22976d85639b00522de9050cb1178a85e14f7ebfa744a55383e4a56cdb21873f
a1b477c991a1b8ba6373e0c7af2c7ad5734670eabffda73e457801e1b8ec8fbb
SH256 hash:
c584d64074b1eab58528dbc721935cfbe7badb78ba7c5d6256672b930482899c
MD5 hash:
8b5e647756c43148994949e762bf1c79
SHA1 hash:
7dfa33663944849e9bb7f512462aa6a6c5805253
Link:
https://www.unpac.me/results/5676b862-b991-43d6-8ed3-4e671f9199ea/
SH256 hash:
504410fd6158a7346f5a2e7b7714203b329d46dab5d129719410d5c325122804
MD5 hash:
74ed681a2d7aed1dae5627d4367474f8
SHA1 hash:
cad2df636d3f0710f69fdb18cbae03a332341dd3
Link:
https://www.unpac.me/results/5676b862-b991-43d6-8ed3-4e671f9199ea/
SH256 hash:
8973ec20883b3d45af6c843de26bd764bb3ca9346ffe2def89942b1a973f16f0
MD5 hash:
67cda3ec4bee9bf8bb35ea857ac9a5d1
SHA1 hash:
6ca5037103de3a0d69b07610cdb9a4f7ed70c643
Link:
https://www.unpac.me/results/5676b862-b991-43d6-8ed3-4e671f9199ea/
SH256 hash:
866577d995c2d14ba5337f1f9d7ccff29bc6d2fd466d1a0efe4cd473516e6de9
MD5 hash:
86368e3abe7ac1dcf984b5851560cc2e
SHA1 hash:
17722f5d6166f4ead144c54e52d16514240b481d
Link:
https://www.unpac.me/results/5676b862-b991-43d6-8ed3-4e671f9199ea/
SH256 hash:
22976d85639b00522de9050cb1178a85e14f7ebfa744a55383e4a56cdb21873f
MD5 hash:
187e3680b6859c4d059948b0a9e9a816
SHA1 hash:
5ebbc752e2ef8e0de23642d09eaef9f46308248d
Link:
https://www.unpac.me/results/5676b862-b991-43d6-8ed3-4e671f9199ea/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/22976d85639b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22976d85639b00522de9050cb1178a85e14f7ebfa744a55383e4a56cdb21873f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 22976d85639b00522de9050cb1178a85e14f7ebfa744a55383e4a56cdb21873f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442324/

Comments