MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26705e4ada8b02a8418a05211a726c3b2965961aadb6d14ead860a722543c646. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26705e4ada8b02a8418a05211a726c3b2965961aadb6d14ead860a722543c646
SHA3-384 hash: 2b85e29df05260142d40cffc8d3d2d76d5d32bf99b8d5a0ddb7fac767ff1bd267d242c4b60e935369a4af7f386b44708
SHA1 hash: 7327de95e4a4a62a6b235cf1c11b76b27fdabe80
MD5 hash: 71194120660ecbcea37e90c2d1b545a0
humanhash: river-spaghetti-fillet-quebec
File name:dhl express track parcel.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:420'864 bytes
First seen:2020-07-02 09:26:25 UTC
Last seen:2020-07-02 09:50:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:O8B5D8wYpKUvAjXAYAabyAI4AeLa8xThl+ueOagV/K4oXjYj1AMLFvnFvZ4egCK2:Otn5CrECHvb4EtSBg1llSCrj
Threatray 5'092 similar samples on MalwareBazaar
TLSH 67947BC072F64B92E6B657F74A32980047F6B8BA213ED2594DC670EF94A1F504F91B23
Reporter abuse_ch
Tags:DHL exe FormBook SendGrid


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: wrqvncxz.outbound-mail.sendgrid.net
Sending IP: 149.72.44.174
From: DHL Express <sales@automailmarketingworld.fun>
Subject: Track Your Shipment !!
Attachment: dhl express track parcel.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18409/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.68339.18673.22691.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/26705e4ada8b02a8418a05211a726c3b2965961aadb6d14ead860a722543c646/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 09:28:07 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ezyf4sw2rmbkqqmkauqru4tmhmuwlfq2vw3nctvnqyfhejkdyzda._file
Verdict:
malicious
Similar samples:
4e8ddcec5c75934d0418b3f5f66c20925bd67b6acda0bb0c3a0ee684865a6e4b
FormBook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
FormBook
64ac97cf73567009fd4ea4707b2c0ac2917c74842a81bddf874889d772bf9146
FormBook
752db567072f4a2760250ed35d71d75f5b3dbbab62ec60ca6d2e694c4b744a09
FormBook
8fa8f67945e7ad85b3afc20abed666c8c69e9b0e592b9002c5bb78438d093d3e
FormBook
9c7b335e031c3c2fde1e7d75cbe08bd0951b0cb8a327fa4bd3e54c4c59d32936
FormBook
b97bfa891b722322095fcbd10be1c232066827749e4f5dc945beacf1a84d1658
FormBook
cc02c528f1eccf6891f5c97815c5c97560ca1c92849e35669bf061cb55e6289b
FormBook
df2bbdd833be8896f46c8660acfc9da2711f2a75d8338240b781fc6ee3964f9e
FormBook
e58d299e799026f70c33649310efef0e2ccfa45514fa554dcc0f4eb9fbdf1cf2
FormBook
+ 5'082 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200702-d7vtz6kv2j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run entry to start application
Deletes itself
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe 26705e4ada8b02a8418a05211a726c3b2965961aadb6d14ead860a722543c646

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/18409/

Comments