MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ea667119c0aeda764dcb53a2adf480a26985bfc682949d0fb0c02d266342c68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ea667119c0aeda764dcb53a2adf480a26985bfc682949d0fb0c02d266342c68
SHA3-384 hash: 76f89f9e6e0c03315e33e32ca8b1fed7ccbd0946bb4ea80d5f3193c6c255ccbeeddff49b53e49e7d2ac759255eb5ab75
SHA1 hash: 34b072cdd785e0be9bf9717707a72c122ebf8e93
MD5 hash: 690684b6b6a432ef5f8b34b67653d4be
humanhash: carpet-magnesium-september-delaware
File name:DHL AWB# 4AB19037XXX.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:11'776 bytes
First seen:2021-09-27 17:35:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 192:vXJJ/3Du6VyVt6TgAgoEwJnWO+Bh72Jkp/dq2bpKyS:hJ/3W6TgAgoEwJnWhzHp/dXpKy
Threatray 9'892 similar samples on MalwareBazaar
TLSH T1BA323652A7FF3712C5B043F48AE343274BB52A1634A2EB1D7EC342CD25A9F564981E27
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL AWB# 4AB19037XXX.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-27 17:38:37 UTC
Tags:
trojan formbook stealer opendir
Link:
https://app.any.run/tasks/442d0a42-8149-4335-8886-afb0f2dac096

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192225/
Detection(s):
Porcupine.MSIL.Downloader.Agent.IVE.101827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a912acfa-5442-4368-b735-873c414d7cf4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859282
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491716 Sample: DHL AWB# 4AB19037XXX.pdf.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 29 www.themshirt.com 2->29 31 www.aquitemtijolo.com 2->31 33 2 other IPs or domains 2->33 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 9 other signatures 2->49 9 DHL AWB# 4AB19037XXX.pdf.exe 14 4 2->9         started        signatures3 process4 dnsIp5 41 cdn.discordapp.com 162.159.133.233, 443, 49739, 49740 CLOUDFLARENETUS United States 9->41 27 C:\Users\...\DHL AWB# 4AB19037XXX.pdf.exe.log, ASCII 9->27 dropped 61 Writes to foreign memory regions 9->61 63 Injects a PE file into a foreign processes 9->63 14 RegAsm.exe 9->14         started        17 conhost.exe 9->17         started        file6 signatures7 process8 signatures9 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 2 other signatures 14->71 19 chkdsk.exe 14->19         started        22 explorer.exe 14->22 injected process10 dnsIp11 51 Modifies the context of a thread in another process (thread injection) 19->51 53 Maps a DLL or memory area into another process 19->53 55 Tries to detect virtualization through RDTSC time measurements 19->55 35 www.lighterthanlight.net 178.254.0.81, 49841, 80 EVANZOASDE Germany 22->35 37 laliinparfumeri.com 185.15.197.14, 49837, 80 DEDICATEDTELECOMTR Turkey 22->37 39 7 other IPs or domains 22->39 57 System process connects to network (likely due to code injection or exploit) 22->57 59 Performs DNS queries to domains with low reputation 22->59 25 autoconv.exe 22->25         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ea667119c0aeda764dcb53a2adf480a26985bfc682949d0fb0c02d266342c68/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-27 10:56:31 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2tgoem4blw2ozg4wu5cvx2ibitjqw74nauutuh3bqbnezrufrua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
Formbook
326a1e669385d8e241375e9eca9f915440f1d0d3f803e6d1648f30102cbedaa6
Formbook
3dfa10d42004768b9da7da94dc0586a0b9d68b56dd6bf5b5057b6b896eec5336
Formbook
50c6754cbbd313acc6a250182439a1191d8f8318f0794feea75bd647b6205f7a
Formbook
64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025
Formbook
6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c
Formbook
7b4c1bf9a15a419080fe02866aa26f162f79d5e01763c6af5915b07988556223
Formbook
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
Formbook
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb
Formbook
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb
Formbook
+ 9'882 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:o4um loader rat spyware stealer
Link:
https://tria.ge/reports/210927-v6m68sheh5/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Downloads MZ/PE file
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.dependablelawnsnow.com/o4um/
Unpacked files
SH256 hash:
2ea667119c0aeda764dcb53a2adf480a26985bfc682949d0fb0c02d266342c68
MD5 hash:
690684b6b6a432ef5f8b34b67653d4be
SHA1 hash:
34b072cdd785e0be9bf9717707a72c122ebf8e93
Link:
https://www.unpac.me/results/a9507b92-1b11-4106-80a0-9cbfab48c849/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2ea667119c0a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/2ea667119c0aeda764dcb53a2adf480a26985bfc682949d0fb0c02d266342c68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192225/

Comments