MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cee3b34015cda890225c0937db8e9d36372f2f4cd11efe9fbf1770306cf6b3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cee3b34015cda890225c0937db8e9d36372f2f4cd11efe9fbf1770306cf6b3d
SHA3-384 hash: ae46052c06b12d9744b661cd774482539dec13220a5a7ee214f594646a9c71b4a15004d9a78bab3efcd68d1e235a43c1
SHA1 hash: 43e6479b544403de3c0cc2e6a5875be7c51fd4ba
MD5 hash: bb8b5bd506a3bf1e6c68ecd5ef9dc480
humanhash: seventeen-minnesota-sodium-triple
File name:DHL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:295'198 bytes
First seen:2023-03-09 08:34:20 UTC
Last seen:2023-03-09 10:34:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:KYa6ggEz6nb+o6C4MmgmzvqcZnHeuJSzyBJwHKMZyaK:KYBEz6bN6C6gSvqyfJSuBwK
Threatray 2'269 similar samples on MalwareBazaar
TLSH T10A54125A26B0D127DD7A17F2187A5AA91BB7EE131870930F0350FB5C72336834A1E79B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9e1f25494b370f0d (2 x Formbook)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL.exe
Verdict:
Malicious activity
Analysis date:
2023-03-09 08:38:50 UTC
Tags:
stealer formbook trojan
Link:
https://app.any.run/tasks/c721885a-27e3-41b4-ac4b-7291c1e6e4dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372896/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.31414.5696.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64099a3af0b8f72099e8837e/reports/86da159e-d5a9-43c5-84d1-fc2146ab7a54/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2cee3b34015cda890225c0937db8e9d36372f2f4cd11efe9fbf1770306cf6b3d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc8669e0-ae86-4c02-b767-ec1393a8dff3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190126
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 823007 Sample: DHL.exe Startdate: 09/03/2023 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 3 other signatures 2->39 9 DHL.exe 19 2->9         started        process3 file4 25 C:\Users\user\AppData\Local\...\ynsxprkmp.exe, PE32 9->25 dropped 12 ynsxprkmp.exe 9->12         started        process5 signatures6 51 Maps a DLL or memory area into another process 12->51 15 ynsxprkmp.exe 12->15         started        process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Sample uses process hollowing technique 15->57 59 Queues an APC in another process (thread injection) 15->59 18 explorer.exe 2 6 15->18 injected process9 dnsIp10 27 www.mynichemarket.co.uk 185.151.30.181, 49726, 49728, 80 TWENTYIGB United Kingdom 18->27 29 www.landlotto.ru 109.70.26.37, 49729, 49730, 80 RU-CENTERRU Russian Federation 18->29 31 11 other IPs or domains 18->31 41 System process connects to network (likely due to code injection or exploit) 18->41 22 raserver.exe 13 18->22         started        signatures11 process12 signatures13 43 Tries to steal Mail credentials (via file / registry access) 22->43 45 Tries to harvest and steal browser information (history, passwords, etc) 22->45 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cee3b34015cda890225c0937db8e9d36372f2f4cd11efe9fbf1770306cf6b3d/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-03-09 00:26:20 UTC
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ftxdwnabltnisarfycjx3ohj2nrxf4xuzui672p36f3qgbwpnm6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
43440434172d5730884fa5f0ae4f7ae73c4815e74618d18bc405d18dd325fed4
Formbook
88043d723394b97599313522b0a2f599f8678529ba0febfebb6642cc966bde94
Formbook
b3fe3de729e3bacd16f951173d7e42ec7fae5bf90909cece61e782282fd96ced
Formbook
b6b4defc23fd79807ed6c5a4e2a111465c3e444a6efd07e837fcfffa4a19b688
Formbook
c448049c359c9ada55dbdefbb772020aa3962804d485ccf52adefb3a2030e3fb
Formbook
c4ab14d93e54b2c6e70fa0f284cee729b56186894dfdff4207cbc3d0c690c80f
Formbook
cec7134d68d67d6f7ee0d32945f6ee4eafeb58a68c4769867f212ad879480c22
Formbook
d69b13f1276594f9f10cf722a15179b0d71911a92d15a726e1bdd234a880cf92
Formbook
eedf79769078bf047dbdf03d4c4e352aaebd783624bd8dcf1de29fba4bc51c56
Formbook
f5ae9ee403c63e78514c23cdb6297c09a5367c241f6151def5fe1fc096946de4
Formbook
+ 2'259 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230309-kg2cfsad3y/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
7599909ef18a2f043f140fb5e53cf635acefbfce10cacbcc1171070ed46ee097
MD5 hash:
d85e3c5becae6b8348e0233f2353a36a
SHA1 hash:
ca829b0cafebad99d0c177ffee4e4d9704275052
Link:
https://www.unpac.me/results/ceee6f4a-4358-4f6f-8a77-5062da08449c/
SH256 hash:
6f8579f57e59dd463269dd394cf8b28d4caf5816eb560086249b32adbcbd56de
MD5 hash:
ea61c56d092ef0b864308d22cadd4888
SHA1 hash:
4a918502c4097d74860eced77d96b331723916e8
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ceee6f4a-4358-4f6f-8a77-5062da08449c/
Parent samples :
2cee3b34015cda890225c0937db8e9d36372f2f4cd11efe9fbf1770306cf6b3d
920a16d2a8e3f31fefc9616d99547362eca7835af553858835166e54736bc91e
d0ac15eeb53f64ad6f399ead8724f38344daf243332f03790598c6716a04f162
SH256 hash:
5edbc4d43f93a21d6cb19cbcccdcec5b7c6a576446e0a962d174610cf82ee64b
MD5 hash:
017b72650ca6d62040793a323c6c4781
SHA1 hash:
1a883642ccb37098f8e1690c239658979ddb45c7
Link:
https://www.unpac.me/results/ceee6f4a-4358-4f6f-8a77-5062da08449c/
SH256 hash:
2cee3b34015cda890225c0937db8e9d36372f2f4cd11efe9fbf1770306cf6b3d
MD5 hash:
bb8b5bd506a3bf1e6c68ecd5ef9dc480
SHA1 hash:
43e6479b544403de3c0cc2e6a5875be7c51fd4ba
Link:
https://www.unpac.me/results/ceee6f4a-4358-4f6f-8a77-5062da08449c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2cee3b34015c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cee3b34015cda890225c0937db8e9d36372f2f4cd11efe9fbf1770306cf6b3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372896/

Comments