MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26b71bbd2d7db3c56d4a9058a84233364b49150c3bb7b60edec35d37e34d06f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26b71bbd2d7db3c56d4a9058a84233364b49150c3bb7b60edec35d37e34d06f3
SHA3-384 hash: 10a27f5df9d5d4a9c1ddc1c0e4e630e94ae570367b0c0aef47cf873890f5e0bc5431a55a371f8bddaa582737e029149e
SHA1 hash: 557276e8abda029c34fb8070cded3bb720ef91ed
MD5 hash: 4c5cd630652c9addab758d6b5fd87eb0
humanhash: bakerloo-ack-dakota-connecticut
File name:PACCHETTO DHL AGGIORNATO CONDIZIONI SPECIALI, pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:141'312 bytes
First seen:2022-02-15 13:12:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:5OdV3NmFZen2/LEG+MzPRhYTpOaYmHzQVp3:5OdKFQ2/jzRCDDQVp
Threatray 13'542 similar samples on MalwareBazaar
TLSH T11AD3BF097365C15AEA6ABA755C85E2B006B8BD853E17C307B45C3B2FFE711EC1E83518
File icon (PE):PE icon
dhash icon 3af2d2b2b2e0d084 (8 x AgentTesla, 4 x Formbook, 1 x AveMariaRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241616/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620ba6e7a2660f3bb9dad162/reports/22764069-113c-48ad-822b-04cc2b19e4fc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3931b384-cf25-4e95-be9e-88373b18d24c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940094
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 572572 Sample: PACCHETTO DHL AGGIORNATO CO... Startdate: 15/02/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 7 other signatures 2->45 10 PACCHETTO DHL AGGIORNATO CONDIZIONI SPECIALI, pdf.exe 15 7 2->10         started        process3 dnsIp4 33 google.com 172.217.168.14 GOOGLEUS United States 10->33 35 cdn.discordapp.com 162.159.133.233, 443, 49756 CLOUDFLARENETUS United States 10->35 37 192.168.2.1 unknown unknown 10->37 29 C:\Users\user\...\Creative_Cloud_Set-Up.exe, PE32 10->29 dropped 31 PACCHETTO DHL AGGI...ECIALI, pdf.exe.log, ASCII 10->31 dropped 55 Creates an undocumented autostart registry key 10->55 57 Drops executable to a common third party application directory 10->57 59 Injects a PE file into a foreign processes 10->59 15 PACCHETTO DHL AGGIORNATO CONDIZIONI SPECIALI, pdf.exe 10->15         started        18 conhost.exe 10->18         started        file5 signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 20 explorer.exe 15->20 injected process9 process10 22 WWAHost.exe 20->22         started        signatures11 47 Self deletion via cmd delete 22->47 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process12 process13 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26b71bbd2d7db3c56d4a9058a84233364b49150c3bb7b60edec35d37e34d06f3/
Threat name:
ByteCode-MSIL.Trojan.XLoader
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 13:13:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e23rxpjnpwz4k3kksbmkqqrtgzfusfimho33mdw6ynotpy2na3zq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
29d23710bef2e9821a27d4d0a74305d582ba41d206d3b48b6762e4f3d78b19ba
Formbook
35f9dd17bfe8b62676bead6a48638b65fd2372b9699cd7572b58e12192143849
Formbook
5dde67093b891df286e998912557fa598ebebc662bb30252fbe9ce7798e50242
Formbook
79215526b0229696bf3961e09918bca444cb43b079ca70834c54db52c49c51ac
Formbook
9767d52eebfbf17f2e549a57d68d7f11c199af327eeb20542b39485f883f61e1
Formbook
a0498dad46971848cf7b2bde020f6ac1ce8bd8508aaf920a2616063098acd6d2
Formbook
b972dfd3f5fd6142b67366d223c0056b75d3d93538a7c05ce35e27ad1c9541ed
Formbook
ccf47d9fd0a0ddce06c265b87f0e2377bb58107c18659ac908b7e3a5731ad081
Formbook
fcccde6b56dbe8650273f1d67957a1adc1dd0e783d43d6543da7a44696731292
Formbook
+ 13'532 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:c0a7 loader rat suricata
Link:
https://tria.ge/reports/220215-qf33jsgedl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
26b71bbd2d7db3c56d4a9058a84233364b49150c3bb7b60edec35d37e34d06f3
MD5 hash:
4c5cd630652c9addab758d6b5fd87eb0
SHA1 hash:
557276e8abda029c34fb8070cded3bb720ef91ed
Link:
https://www.unpac.me/results/d617b20c-001b-4231-bcd7-6a7f143eabe0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/26b71bbd2d7d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/26b71bbd2d7db3c56d4a9058a84233364b49150c3bb7b60edec35d37e34d06f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 26b71bbd2d7db3c56d4a9058a84233364b49150c3bb7b60edec35d37e34d06f3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/241616/

Comments