MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 256864d01e10f13f207b94efadddd3687aaa7f2a1ab29c8e9fe9a8ae8f524e1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	256864d01e10f13f207b94efadddd3687aaa7f2a1ab29c8e9fe9a8ae8f524e1f
SHA3-384 hash:	78f2b0410c144e022b2392f4d369b05384d48e53842be2d59fed1eb18395b26c2a079b382d64b932cb082b2dad609723
SHA1 hash:	cd3d592fdf7fe3e2341a48ceb1b79ed330cb3e98
MD5 hash:	6cff6009b60518027e644a36dffcb4f8
humanhash:	echo-venus-enemy-yankee
File name:	DHL Express shipment waybill number 8318869311.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	672'768 bytes
First seen:	2021-05-03 05:39:53 UTC
Last seen:	2021-05-03 12:31:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'817 x AgentTesla, 19'739 x Formbook, 12'285 x SnakeKeylogger)
ssdeep	12288:wuCRFbPCjdOSkno86HiBADJuSxRvi1W8rLZ2cNss3J5UCBl9XcHE:wNfOjdOSk+2VIczyOtc
Threatray	198 similar samples on MalwareBazaar
TLSH	C8E4AEAB73A15E64D64C0E768912008C82F1D037B1F6F6DF35E45AEAAA01316867F4F7
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/148176/

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.48175.30656.3047.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Sending a UDP request

Creating a window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/707347

Signature

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/256864d01e10f13f207b94efadddd3687aaa7f2a1ab29c8e9fe9a8ae8f524e1f/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-03 04:37:21 UTC

AV detection:

10 of 47 (21.28%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=evugjua6cdyt6id3stx23xotnb5ku7zkdkzjzdu75guk5d2sjypq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

7/10

Tags:

agilenet

Link:

https://tria.ge/reports/210503-5btmesnw62/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Obfuscated with Agile.Net obfuscator

Unpacked files

SH256 hash:

256864d01e10f13f207b94efadddd3687aaa7f2a1ab29c8e9fe9a8ae8f524e1f

MD5 hash:

6cff6009b60518027e644a36dffcb4f8

SHA1 hash:

cd3d592fdf7fe3e2341a48ceb1b79ed330cb3e98

Link:

https://www.unpac.me/results/c82180fd-aaa4-4bca-ad32-36d0fe1a71ba/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/256864d01e10f13f207b94efadddd3687aaa7f2a1ab29c8e9fe9a8ae8f524e1f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/148176/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample