MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4627b5c64c1c639a6930dd1f9f135e396853e6bf418c8c0d3c6eaec18b3cdc12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4627b5c64c1c639a6930dd1f9f135e396853e6bf418c8c0d3c6eaec18b3cdc12
SHA3-384 hash: 37f4bf16edb1c84a77c58502d8bca94c87296cd1806c9f3c0d0476a5366739d121b1f438d6b44b469449dd6e5e0fe265
SHA1 hash: cc17ce0e7604bbec88bed251b4d0c558937e8cca
MD5 hash: ca52410c92b154cb65d995ead63531f8
humanhash: robin-kentucky-cup-fillet
File name:DHL Shipment.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:670'208 bytes
First seen:2023-05-09 06:45:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:6BUA/v2wUhcgyHr626EoWavmyXsgHQlIh2++eZK7/e/hTvzU3FreOrbNj5Ayhr:6BUA/+OqEkvnsgHkBNretLPOX3P
Threatray 2'761 similar samples on MalwareBazaar
TLSH T18AE4E1B4A0AB4AE6E20B8A70197CBDB51E7271D3EDC5467807385541CFBBB243F8854E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0b1b9a92b4646968 (9 x Loki, 7 x AgentTesla, 5 x SnakeKeylogger)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Shipment.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-09 06:48:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7405ebf7-a703-4c5c-9e6f-6b4206955bd9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387690/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6459ebf8d860ee3e1ca66330/reports/9bd3dc02-1b41-40e2-a1ec-73ce64832ef8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4627b5c64c1c639a6930dd1f9f135e396853e6bf418c8c0d3c6eaec18b3cdc12
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99c8bebb-e583-4246-98fe-02986a8bee9a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1228899
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4627b5c64c1c639a6930dd1f9f135e396853e6bf418c8c0d3c6eaec18b3cdc12/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-05-09 06:46:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iyt3lrsmdrrzu2jq3upz6e26hfufhzv7iggiydj4n2xmdcz43qja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04641e247441a72cb287998b6f36b49959d43cfef538dd806aea04a8606817fb
Formbook
4a5ee921941ba55cd069a52fc95732b78f4c430a28236c3bd752ac350e4ffa79
Formbook
6982ab1d029213bfcfbc542eee0d955b770f5c0df083dc94463c441e2de35fe5
Formbook
7d0fdf3abd56e00933c0fa8cf573b948a4c9d85248915249f1909e6775f75e75
Formbook
a0944a8143c9b1520e9d4c27ba2a6699eafc3352c7fecee0039ab0f410b047ff
Formbook
c11514fce0720af2328f702e0a42aaea3b9d4ef635de46d638a9ca0629e5f75d
Formbook
c1a8208a8af8fb2ab397e586ea8a7f265921e6f21eb592af42a8f5c805d18557
Formbook
cc9fd84fffa1811ef3177586d7c6aee88dc4dc5412fd658ee4bb36ff934eec01
Formbook
cfe9062e6bd88ae993c3e8b295386c2e5e9aa7d8b9ceb168f56ccd3e0e5cbe36
Formbook
fbcd0824d723107fbf65f4d82506544ff6514364e745242e74a8d7f86d16575f
Formbook
+ 2'751 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230509-hh3kssge51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
1bc00323ba02f4d7b8020d1e3feb7c7d0b2b4d4eae3c02613f533179740dd10b
MD5 hash:
d252c5f1e177249b467c6e81ee50e917
SHA1 hash:
3071014db2840ccef5959b7394748dfd85bed3d0
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/2d57a3d7-1b28-4cb0-881e-3625b9a296f0/
Parent samples :
4627b5c64c1c639a6930dd1f9f135e396853e6bf418c8c0d3c6eaec18b3cdc12
00e18c9bceefb7ce5810a575af9f6325dabc4d2421a447433629f2e29bed20be
e5a75ed3a164d322279af143c007028a5e94a52c11e4fa674c37a48c79237d27
SH256 hash:
8a38ca1ef4c48d89b9e92667aed07c046fd4765c11eac2a76ef1c2750c32383d
MD5 hash:
4063ef5cb280a735fdf45fbb5fff9cf5
SHA1 hash:
7d2a51a81714e236b2bfff434095be9e3dc15ee2
Link:
https://www.unpac.me/results/2d57a3d7-1b28-4cb0-881e-3625b9a296f0/
SH256 hash:
4b21dd52c175309d76433c2d99ec0cd0455864040976c6716ac90469fde897e7
MD5 hash:
39da984cc21445a7dee1a59fbf8e2b50
SHA1 hash:
f043e91b0aa612bfed977f43b151ac3442dbfd19
Link:
https://www.unpac.me/results/2d57a3d7-1b28-4cb0-881e-3625b9a296f0/
SH256 hash:
83fde4c9e3bd778ea729691f2dbae3a3921ca37c620873d5015e059366bd45ab
MD5 hash:
875c44e3510ef7b26167c427e22985fb
SHA1 hash:
7085e54effb2e903cbf2bface0dad4bd28d4a7c1
Link:
https://www.unpac.me/results/2d57a3d7-1b28-4cb0-881e-3625b9a296f0/
SH256 hash:
5a4395f42224d026c41663982349655c784718a1f5298cf5e7d6d85549d332cf
MD5 hash:
cc531e4d701e080cf0a6514fab4e0a03
SHA1 hash:
2f6f38d7a5860791284ad0da2134474de46ed65c
Link:
https://www.unpac.me/results/2d57a3d7-1b28-4cb0-881e-3625b9a296f0/
SH256 hash:
d8fc5dfdf2800247eb610beb076fec4d2becf6d951e89445d43237fe97814218
MD5 hash:
e5d93dadd08b8bc727e4f4853c6881ba
SHA1 hash:
27e0e057d33f01586193b0cbf06561c2863951f4
Link:
https://www.unpac.me/results/2d57a3d7-1b28-4cb0-881e-3625b9a296f0/
SH256 hash:
4627b5c64c1c639a6930dd1f9f135e396853e6bf418c8c0d3c6eaec18b3cdc12
MD5 hash:
ca52410c92b154cb65d995ead63531f8
SHA1 hash:
cc17ce0e7604bbec88bed251b4d0c558937e8cca
Link:
https://www.unpac.me/results/2d57a3d7-1b28-4cb0-881e-3625b9a296f0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4627b5c64c1c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4627b5c64c1c639a6930dd1f9f135e396853e6bf418c8c0d3c6eaec18b3cdc12

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387690/

Comments