MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d1df1745e8d882bc8ec2bc5913340e98e74be55296020a3bdf6ad8ee638ca7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d1df1745e8d882bc8ec2bc5913340e98e74be55296020a3bdf6ad8ee638ca7c
SHA3-384 hash: f54847b4763caf58f1c303b39881e449d4a9c5753938095695b0bf9cddfd9bacdca831c755ad004049cf4e02e3bf1ecd
SHA1 hash: d1546f295bc2e89941e32402d7b9379306c958b3
MD5 hash: 3cf718db93cb6349a4cdb25e2f9fe183
humanhash: stream-september-tennessee-ack
File name:DHL AWB TRACKING DETAILS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:679'936 bytes
First seen:2023-09-04 05:29:09 UTC
Last seen:2023-09-04 06:38:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:SSU0y7VVy9/XMD5mb9cgcQxtmho2vIEBKMNN3CVe7R6b9wrojPN0kV:c0y7VVS/XMFO9cQtmhbHwMr3j89wrojV
Threatray 1'364 similar samples on MalwareBazaar
TLSH T19CE402167BE5876BDC2C6B7DF0300121C334DC4A302AA35B9B86AD1A2DD7791DA159F3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6c6868686aaac8e4 (9 x AgentTesla, 2 x SnakeKeylogger, 2 x Formbook)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL AWB TRACKING DETAILS.exe
Verdict:
Malicious activity
Analysis date:
2023-09-04 05:31:44 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/17fcb113-4104-4f91-84a7-283fec17f1b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445912/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64f56b5b67511af1a1b42d1f/reports/4184b4f7-0190-4401-b7cf-7bc60a1e72b2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3d1df1745e8d882bc8ec2bc5913340e98e74be55296020a3bdf6ad8ee638ca7c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1cd54e06-10e7-4bdc-8432-8d6023f6b405
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302578
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1302578 Sample: DHL_AWB_TRACKING_DETAILS.exe Startdate: 04/09/2023 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 10 other signatures 2->41 10 DHL_AWB_TRACKING_DETAILS.exe 3 2->10         started        process3 signatures4 49 Tries to detect virtualization through RDTSC time measurements 10->49 51 Injects a PE file into a foreign processes 10->51 13 DHL_AWB_TRACKING_DETAILS.exe 10->13         started        process5 signatures6 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 Queues an APC in another process (thread injection) 13->59 16 explorer.exe 4 6 13->16 injected process7 dnsIp8 27 amritafashionindia.com 45.79.171.66, 49728, 80 LINODE-APLinodeLLCUS United States 16->27 29 www.kmvnlgxa.click 43.154.67.170, 49725, 80 LILLY-ASUS Japan 16->29 31 5 other IPs or domains 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 20 help.exe 16->20         started        signatures9 process10 signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3d1df1745e8d882bc8ec2bc5913340e98e74be55296020a3bdf6ad8ee638ca7c/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-09-04 05:30:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=huo7c5c6rwecxshmfpczcm2a5ghhjpsvffqcbi5562wy5zryzj6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
007da5cb25a7ac030d0e3d0d82a1cd09a069bdb607b6f44ea8538c12ba048aae
Formbook
0f35727c05b3d8834eb5782a61b729149ed4c94ea752fd1c2f184b44ac48de69
Formbook
11f78a6f1d2cc4587778143bdc8b011ca509978c26ba60bd41fe74bd6773444d
Formbook
54b996853292264a07243297709446507d0a2ca2c02f2d210d13958cdbbbbb03
Formbook
59d3d0d82273ee3a78483d3508a8247593a06826f8531de8ca072718e6609598
Formbook
70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0
Formbook
c0c23f16dae769ddb46296c20c1db31aa99cd619caac9746e3aacd7583f6fe7a
Formbook
eba13fb7add78aecfd66663814ab64327bdb631b6dbdde9af86be4853c3cd599
Formbook
fa3a477577604a91938f7650b04d3dfaa1d8ec12578d3bb2618817529c8b5797
Formbook
+ 1'354 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ar39 rat spyware stealer trojan
Link:
https://tria.ge/reports/230904-f66k9adh6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
bbc1c5a8e8fa5c32dc40280ee60bf2b02943d0e7e78ab941bf76e9a205bb66b7
MD5 hash:
c66926f881602e0ff64703eadd1fc37f
SHA1 hash:
9bebdba00f433c89c04047f049065c86182b825a
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7c6e11c2-33b3-477a-b1b8-a19283c57898/
Parent samples :
54b996853292264a07243297709446507d0a2ca2c02f2d210d13958cdbbbbb03
0f35727c05b3d8834eb5782a61b729149ed4c94ea752fd1c2f184b44ac48de69
3d1df1745e8d882bc8ec2bc5913340e98e74be55296020a3bdf6ad8ee638ca7c
SH256 hash:
9caab439d50248fc0b26674ffacb6d39c6d65ca075ec56e38ac5d744b5e81364
MD5 hash:
0b438855b8cc42101d1ea455c7795999
SHA1 hash:
a53a5182d15cc9a525863d1ad6fdb3adb673504a
Link:
https://www.unpac.me/results/7c6e11c2-33b3-477a-b1b8-a19283c57898/
SH256 hash:
0e105b75b8d49cf6129af774e9d7e37ac315e6e90d2911d3cc583854482a9e95
MD5 hash:
ac144e03b94b8bbcfa4d8f0d8f8d0dd7
SHA1 hash:
1e955889309d8a230a4ae4779cf6f839ef5f520a
Link:
https://www.unpac.me/results/7c6e11c2-33b3-477a-b1b8-a19283c57898/
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/7c6e11c2-33b3-477a-b1b8-a19283c57898/
Parent samples :
cef72412a1dd9486bae5f7e606d4330660fba98575ba1c939559ccc83536f41a
81ccf158093718305b3499d0f16d8a82bcad69f2740066daca8d5b5ca9979688
SH256 hash:
3d1df1745e8d882bc8ec2bc5913340e98e74be55296020a3bdf6ad8ee638ca7c
MD5 hash:
3cf718db93cb6349a4cdb25e2f9fe183
SHA1 hash:
d1546f295bc2e89941e32402d7b9379306c958b3
Link:
https://www.unpac.me/results/7c6e11c2-33b3-477a-b1b8-a19283c57898/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3d1df1745e8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d1df1745e8d882bc8ec2bc5913340e98e74be55296020a3bdf6ad8ee638ca7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3d1df1745e8d882bc8ec2bc5913340e98e74be55296020a3bdf6ad8ee638ca7c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445912/

Comments