MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 363bf36180115b78abbb81e53def8018de22600b153958406302b6d71414f6c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 363bf36180115b78abbb81e53def8018de22600b153958406302b6d71414f6c7
SHA3-384 hash: 80eb01aba4d12fd2f24deb104604d838d3ea2e896097be853cd6ffaed0ab8b59b628d26c71d03a6d6bef1fdac049469c
SHA1 hash: 6dfa986cb828b71326ea6303864685f024a7c589
MD5 hash: 3ae9af1fa239e12610fd29e73f0e7140
humanhash: crazy-emma-oklahoma-delaware
File name:DHL Shipment Details - Please Review.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:832'512 bytes
First seen:2023-03-28 17:44:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:XDKdJVZz5dUMUN781mT7RXQ5Czievxy8k8xLLRPvc5OdHnMbjJs4i:XoVZ9SM+78QT7RALQY8kiLRPw8Ho1i
Threatray 2'552 similar samples on MalwareBazaar
TLSH T1FC051215E2A46621E76A477C14909C40C7BDA2EA1353FF4EEE1C60D32EF67D00A1FA5B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Shipment Details - Please Review.exe
Verdict:
Suspicious activity
Analysis date:
2023-03-28 17:48:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5e3e264b-49d1-4e5b-a616-f8e842822d32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/378261/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/642327a0fa73f9cb0d60149d/reports/21938a03-93e0-41a8-9f65-9a39e811e3a8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/363bf36180115b78abbb81e53def8018de22600b153958406302b6d71414f6c7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8dda4c0b-6468-4754-9c7e-aecd13dff4b7
Result
Threat name:
FormBook, Play
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1203782
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Play Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/363bf36180115b78abbb81e53def8018de22600b153958406302b6d71414f6c7/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-28 01:03:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gy57gymacfnxrk53qhst334addpceyalcu4vqqddak3nofau63dq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0312ca773d06b41b2906310879143c0737bb66dbfda5d01ec1ec69d4cfb58adc
Formbook
11b8ec17c90add99a6e717e3f90640dcbfef63c3b4185c872caea70841bd74f2
Formbook
3d31416fc1abd53a89b8e7f61a3a4a392be2c1a2a8947562a58504b9e6300be0
Formbook
8382a6ee4216faec05fbd17a082a85a05c4878ba1dbc440744439a5011eea035
Formbook
b05548e7921f293f59a8fa99b2eba03957daa2ae01275e48d94a75a3ca941288
Formbook
c5881aae0402696993a36546d2fa1e44d6fb53c0b8528ea23cbb1c12e0e7c9b1
Formbook
d7f939548251900b0227703cb9825c0923b4cd0c2feccf155409d07f6bb7676c
Formbook
e004337426d90bd966b01fc36d2252d4b9f05dacede72ce8514540d604cf0663
Formbook
+ 2'542 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230328-wbqjjsdh8w/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
53f3bceda55aa98f261a4fc63d8dd4726a38994e188b33bbd7fd50fa1a975c9b
MD5 hash:
d4434e8b2342e61f54d228d6df31f812
SHA1 hash:
9f168691f334ef9c8a109106ba588bbba550e043
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1ce2f46d-3bd8-46b9-9380-7c033371d777/
Parent samples :
85ec808ea496cecaac7987b39f394e96b0c13c83bba11a754ab6a91141fae2ac
363bf36180115b78abbb81e53def8018de22600b153958406302b6d71414f6c7
f22e2d1a6903ccecd271a8b287c427f4127f5966bf1761cf0a0e5071bfe93c37
SH256 hash:
59017a6310baa0bed9e81421e0aa5c0e4502cfac22d04e831a01b0b5ca2d2ffb
MD5 hash:
e604fdff24a148a78940020b9e70f6d6
SHA1 hash:
095d30c80275839590aafd0fadb13fa8e7508b75
Link:
https://www.unpac.me/results/1ce2f46d-3bd8-46b9-9380-7c033371d777/
SH256 hash:
b4b190818a658f0b64f5aa6d39e901e9d731bf1f58fa072b4c73120a96489bdb
MD5 hash:
3c6f8b2e78f5ebf58c4f170b30c04607
SHA1 hash:
c0ee09a1a9d1c673ad7eadabab7de44ebe0ff765
Link:
https://www.unpac.me/results/1ce2f46d-3bd8-46b9-9380-7c033371d777/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/1ce2f46d-3bd8-46b9-9380-7c033371d777/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
531ffda61daf967a0037f1323179acd34240be7ba4a74889f925bffb4d86af4f
MD5 hash:
ddfbd0a45fa51499d7ed9dcbd2b3ee37
SHA1 hash:
684f47385b515de60bb307aed1d0ac7fe409a31d
Link:
https://www.unpac.me/results/1ce2f46d-3bd8-46b9-9380-7c033371d777/
SH256 hash:
c1da7073f862b67003632f24fed3ddedd0c4964a1d5f007c912cca84638bff30
MD5 hash:
4ecf4a81e865b35993baaf3f8e5eb8f7
SHA1 hash:
40c8fe1bd5385ed597df9b0ee5bb8ef6abe4f53a
Link:
https://www.unpac.me/results/1ce2f46d-3bd8-46b9-9380-7c033371d777/
SH256 hash:
363bf36180115b78abbb81e53def8018de22600b153958406302b6d71414f6c7
MD5 hash:
3ae9af1fa239e12610fd29e73f0e7140
SHA1 hash:
6dfa986cb828b71326ea6303864685f024a7c589
Link:
https://www.unpac.me/results/1ce2f46d-3bd8-46b9-9380-7c033371d777/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/363bf3618011/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/363bf36180115b78abbb81e53def8018de22600b153958406302b6d71414f6c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 363bf36180115b78abbb81e53def8018de22600b153958406302b6d71414f6c7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/378261/

Comments