MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3946f3036e103af4caf04607d09ead4968fc0240881596f5e95db307f260d898. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3946f3036e103af4caf04607d09ead4968fc0240881596f5e95db307f260d898
SHA3-384 hash: bacf294c0b255f2d0e9c34fe5f3ce2c65fa845967f39e8489c4e80403f6dcde460effca94c56e8fc003077377226b23f
SHA1 hash: 2589535ad7ac3ec8b32732a6aecbe353baed8964
MD5 hash: 6a06f01e65bf8136614c587ab3d7698b
humanhash: enemy-speaker-cola-spring
File name:DB_DHL_AWB001833022AD.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:846'848 bytes
First seen:2022-05-24 18:47:48 UTC
Last seen:2022-05-24 19:57:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:jFDvOLaCtVUA2r/bKFUbowd5MQfBjSLLID:j5OF2Lh5MISLL
TLSH T17805E090F1919A03D6B807B6C0F2893053B55DC5A1F1D24B2ED535D33AF33AF589AA8B
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 514444594d55516d (3 x Formbook)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DB_DHL_AWB001833022AD.exe
Verdict:
Malicious activity
Analysis date:
2022-05-24 22:04:25 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/d22f3d12-a39e-4e61-8540-9b4989ede8c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274238/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/628d2873054dcf0ecae8c19b/reports/c9b1820a-da13-462e-a1ae-9287e1339727/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d9a1cf0-b90b-42d3-be9e-d4317c633e2e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001125
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3946f3036e103af4caf04607d09ead4968fc0240881596f5e95db307f260d898/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 15:29:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfdpga3oca5pjsxqiyd5bhvnjfupyasarakzn5pjlwzqp4ta3cma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/220524-xfr4lshegr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
b7f01ac14350b7644caff31902dd801757ec7c468dadb86f0283329635140064
MD5 hash:
c35e0f7b3802d97501727c57d9054d9c
SHA1 hash:
72809a3885a155339ac93cf750ac05d367d89c5c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/342f60bc-4184-4345-96f3-e9822ac6267d/
Parent samples :
a997b6a541b763d9a2efe9e00e5d06facbe23471bbca2b19f30c8126c93bc101
c0e6b0b4e80d36f0872fe01ed20cc5a6d17083f6d11ff93cc5ccc841dd43aa33
abb7b79496780a03680d3406348b02a7418a75260a97ad3a63a9c0d11d030488
c9ce6cdd55466893068a0f0b4f6b0ea2e96ca3f7d55f818bda2205985037ac0a
ced900f9ec05901373c3ae09a06b3ef5ef958764f1fc551590b5f2a820f115a1
3946f3036e103af4caf04607d09ead4968fc0240881596f5e95db307f260d898
SH256 hash:
adebeecf2c8a0505db6bc307c5e4ef4746264ad9994529a93e01a58a0bdacc6e
MD5 hash:
5c202e9597168b08c53e3a51703cf73f
SHA1 hash:
fedb5fa0d9bccb6bc2f8a8bbbd0067834682904d
Link:
https://www.unpac.me/results/342f60bc-4184-4345-96f3-e9822ac6267d/
SH256 hash:
23a31b38a05aa33208ee457a393ce19153ae1dbed9f5b94e11b274efea713d01
MD5 hash:
eddeb705094ce5bcaa074c05d7e344b1
SHA1 hash:
d93375fc40d98333a1d8ae17f11e17a9311f6d81
Link:
https://www.unpac.me/results/342f60bc-4184-4345-96f3-e9822ac6267d/
SH256 hash:
a936419b701428167d1f2f6a35242a3d1b4be76314d370e3cc10654d2b46c700
MD5 hash:
782855252a5c7e51f82bc13df062af6a
SHA1 hash:
d1a28186aad122075734ee484adc541a6316099d
Link:
https://www.unpac.me/results/342f60bc-4184-4345-96f3-e9822ac6267d/
SH256 hash:
56f53b74741d4008f0703443b0488cb82b4477a9ed3cd731fab1436e21f109a0
MD5 hash:
7899a5b0bb3ff183dce15de4e633df13
SHA1 hash:
656aa22d2c3fac2a08ec8469a7355081abb44375
Link:
https://www.unpac.me/results/342f60bc-4184-4345-96f3-e9822ac6267d/
SH256 hash:
3946f3036e103af4caf04607d09ead4968fc0240881596f5e95db307f260d898
MD5 hash:
6a06f01e65bf8136614c587ab3d7698b
SHA1 hash:
2589535ad7ac3ec8b32732a6aecbe353baed8964
Link:
https://www.unpac.me/results/342f60bc-4184-4345-96f3-e9822ac6267d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3946f3036e10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/3946f3036e103af4caf04607d09ead4968fc0240881596f5e95db307f260d898

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3946f3036e103af4caf04607d09ead4968fc0240881596f5e95db307f260d898

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274238/

Comments