MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 302c46822b5ac032941a5f71818ea42dc414cba27bee30cd589c3427144dcc6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 302c46822b5ac032941a5f71818ea42dc414cba27bee30cd589c3427144dcc6c
SHA3-384 hash: 823bace10aeb84d7a473534421f776a70998207a0507aa8ee0b5416431276c0f58cbb43d2aeea8cafaf2ddfa135d7085
SHA1 hash: a6a3d3f6e101e906fd372e779ec5a58315dc1aa0
MD5 hash: 7311ce4dc85342af2860dbcf49307fdd
humanhash: hawaii-chicken-speaker-cup
File name:Shipment Document BL,INV and packing list.jpg.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:520'704 bytes
First seen:2021-12-03 10:03:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:FmTz/6udFMNIufbVO8erPU6QFvogdDqFSEy5xPlf8hY3vmllZLWuERLJM:FmH/rdSWrP2gi8gKlZ
Threatray 11'973 similar samples on MalwareBazaar
TLSH T15BB47C0EF712C646E948D7799EB72F217770F9FA8D61C32AB3541A3C886B3B55984203
File icon (PE):PE icon
dhash icon 7078796d44100400 (1 x FormBook, 1 x RemcosRAT, 1 x PureCrypter)
Reporter cocaman
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipment Document BL,INV and packing list.jpg.exe
Verdict:
Malicious activity
Analysis date:
2021-12-03 10:08:11 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/1ebb56ee-97fb-4a6b-b214-baa2affaa885

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210994/
Detection(s):
Win.Dropper.Generic-7113183-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61a9eb954d8e6f3a5e0ce749/reports/6952070d-9fd2-427d-b9ea-6b55bff72147/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7cddc084-6df2-46b5-a9fa-6f9b68e3e018
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900762
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ping.exe to check the status of other devices and networks
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 533240 Sample: Shipment Document BL,INV an... Startdate: 03/12/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for dropped file 2->38 40 9 other signatures 2->40 7 Shipment Document BL,INV and packing list.jpg.exe 1 7 2->7         started        process3 file4 26 C:\Users\user\AppData\Local\berry.exe, PE32 7->26 dropped 28 Shipment Document ...acking list.jpg.exe, PE32 7->28 dropped 30 C:\Users\user\...\berry.exe:Zone.Identifier, ASCII 7->30 dropped 32 Shipment Document ...exe:Zone.Identifier, ASCII 7->32 dropped 42 Creates an undocumented autostart registry key 7->42 11 powershell.exe 9 7->11         started        14 powershell.exe 8 7->14         started        16 Shipment Document BL,INV and packing list.jpg.exe 7->16         started        signatures5 process6 signatures7 44 Uses ping.exe to check the status of other devices and networks 11->44 18 conhost.exe 11->18         started        20 PING.EXE 1 11->20         started        22 conhost.exe 14->22         started        24 PING.EXE 1 14->24         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/302c46822b5ac032941a5f71818ea42dc414cba27bee30cd589c3427144dcc6c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 15:43:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gawenarllladffa2l5yyddvefxcbjs5cppxdbtkytq2cofcnzrwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
045c15ef3a76b61d487b30e3e554c77afbc4f3fc17078d3818b5392de608a92e
FormBook
0789b4aec138cf9c5bc3b01774fc8ed075dadf40c8ecf97058c201c9de22160e
FormBook
3ff28d4f5a5b236c660c2714bf1b5a515cf72cd738afea35b916938024644538
FormBook
5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979
FormBook
7c7e7d1ad3f8afd0ffcba163bac7c1df9ceb8202a96a61b30b697569e00051b0
FormBook
90f9e8094fe8847f4b4521afafd5c5e59d4368ddc26a4f589730cd998520fd50
FormBook
a532c52eac805e4d436b96265c172a50026c866ee4f560b75d9b6d93ef71406a
FormBook
ae1c03af5639fe2515edf78971c8e322e4f5c271944da757583a2f2c372a4231
FormBook
c63cb761da677849b8382eb1d926569f00a04d57f2c789b63e7f2eb2e368a00c
FormBook
+ 11'963 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:e6b3 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/211203-l3yn5abag3/
Behaviour
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
Formbook
Modifies WinLogon for persistence
Malware Config
C2 Extraction:
http://www.xn--7tq168cfwa.xn--6qq986b3xl/e6b3/
Unpacked files
SH256 hash:
6891077ecc93aab1d366f1e92b4d0811d22f27f6763755f06b5749b25618db7e
MD5 hash:
225d20c89dd72c188271598aaac819a6
SHA1 hash:
65316b476acd42afafcb83b9b8cca255c4078bb5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/fe3d02e3-4853-4db7-85cf-6bd940317b37/
Parent samples :
0789b4aec138cf9c5bc3b01774fc8ed075dadf40c8ecf97058c201c9de22160e
10cb1836c9ad0c738ca0c95b748075b4c035f6edd8c07f41735a1ebc9c352eff
4d88b7c45db03545e9efd2f6e07d838849a43594f6a425c05189ca93317a667b
302c46822b5ac032941a5f71818ea42dc414cba27bee30cd589c3427144dcc6c
SH256 hash:
5bb8df81cbd391ee6afcd7df0104f22491ccbe895a614a7146726afd2b387196
MD5 hash:
50a97c7d594b75752583fe0d34750ee1
SHA1 hash:
c7fd227acdd02f76201a4c23a7ea86c61a5e3ebc
Link:
https://www.unpac.me/results/fe3d02e3-4853-4db7-85cf-6bd940317b37/
SH256 hash:
ffc82f6ad24a8c5852db6745fb8d12242e8b9c014af3f3b7b2fd78dbbc14c318
MD5 hash:
47b3dabe0594896606a8447c84ff1843
SHA1 hash:
c10284db4edd7b52808fb1f66684376adabfff12
Link:
https://www.unpac.me/results/fe3d02e3-4853-4db7-85cf-6bd940317b37/
SH256 hash:
302c46822b5ac032941a5f71818ea42dc414cba27bee30cd589c3427144dcc6c
MD5 hash:
7311ce4dc85342af2860dbcf49307fdd
SHA1 hash:
a6a3d3f6e101e906fd372e779ec5a58315dc1aa0
Link:
https://www.unpac.me/results/fe3d02e3-4853-4db7-85cf-6bd940317b37/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/302c46822b5a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/302c46822b5ac032941a5f71818ea42dc414cba27bee30cd589c3427144dcc6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

ace 40c99b13e4c363cb6bdd1f2bcbe100d2ef7a80d67b44f10fe2551b2b4fb173c7

FormBook

Executable exe 302c46822b5ac032941a5f71818ea42dc414cba27bee30cd589c3427144dcc6c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 40c99b13e4c363cb6bdd1f2bcbe100d2ef7a80d67b44f10fe2551b2b4fb173c7
Cape
Cape
https://www.capesandbox.com/analysis/210994/

Comments