MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47e832373110163a11b922941cb9a2377c7e44ed290a528073152b0fb1ffef93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47e832373110163a11b922941cb9a2377c7e44ed290a528073152b0fb1ffef93
SHA3-384 hash: 94c6793dd25a54c64ebc785e3c90a7ef469d7974da1a5088406390b39b5cf8ebaaa9ca470fa39509f0fef06df2213e7c
SHA1 hash: c4c2bd10d4e5a21997e1b5a2eec5beccd63759ea
MD5 hash: 54e12bb22e93723f1207f9b0c68ce740
humanhash: oregon-cup-harry-kentucky
File name:DHL Receipt_AWB811470484778.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'246'208 bytes
First seen:2021-05-06 07:14:25 UTC
Last seen:2021-05-06 08:04:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:tP6lfqSXnoJQSfo9PwSNGAQI7/OGBbuqPFxeElvzLVMAcfNQBLSi:Rvaj9oSN77/OGMyHlbxxcfNxi
Threatray 5'018 similar samples on MalwareBazaar
TLSH 1D45AE5222589624D03E13719062C93947F67E42E773D72D6AE67EAB3F33280DB67207
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/151382/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/713556
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 405703 Sample: DHL Receipt_AWB811470484778.exe Startdate: 06/05/2021 Architecture: WINDOWS Score: 100 31 www.saibailong.com 2->31 33 www.impianramai.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 11 DHL Receipt_AWB811470484778.exe 3 2->11         started        signatures3 process4 file5 29 C:\...\DHL Receipt_AWB811470484778.exe.log, ASCII 11->29 dropped 57 Injects a PE file into a foreign processes 11->57 15 DHL Receipt_AWB811470484778.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.szwj91.com 156.241.53.197, 49736, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->35 37 907wine.com 192.185.226.16, 49721, 80 UNIFIEDLAYER-AS-1US United States 18->37 39 18 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 wscript.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/47e832373110163a11b922941cb9a2377c7e44ed290a528073152b0fb1ffef93/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 02:57:37 UTC
AV detection:
5 of 47 (10.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i7udenzrcalduenzekkbzoncg56h4rhnfefffadtcuvq7mp756jq._file
Verdict:
malicious
Similar samples:
452534ffdab7839250b44f52865d7e4e60d13deec5e13637514dd614ad46539c
Formbook
462ede8a2b37164863953764e75ccb25c0224396475dbaf96f6dbb6b51484257
Formbook
6bd5e5d02430922bfce2893c805028ae0374fee203235b379856f8bc5f574a76
Formbook
719604b516f11740266b2c7a8a61129f779caf4c1f9e16bac35d39f5792a009b
Formbook
8690761fe4808f23b053db569ecff1a5e3ad82a4df2ee58c04b156877210456b
Formbook
b4881cc38748284029b7008aaf75c0f1f85a4dcb70a61425e787325736c83f36
Formbook
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
e1339c4548f73e4f250fed46d56bbce84491ca122aed7527731bb8d72df83e11
Formbook
fa768e26f300f2c19ef11635dd836b031e0b5352d86d40cdc24284bf874230e7
Formbook
+ 5'008 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210506-bm7ks8rlh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.maleev.design/a7dr/
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/6053f78e-b6ec-4160-a496-a8ea800b8d90/
SH256 hash:
47e832373110163a11b922941cb9a2377c7e44ed290a528073152b0fb1ffef93
MD5 hash:
54e12bb22e93723f1207f9b0c68ce740
SHA1 hash:
c4c2bd10d4e5a21997e1b5a2eec5beccd63759ea
Link:
https://www.unpac.me/results/6053f78e-b6ec-4160-a496-a8ea800b8d90/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/47e832373110163a11b922941cb9a2377c7e44ed290a528073152b0fb1ffef93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 47e832373110163a11b922941cb9a2377c7e44ed290a528073152b0fb1ffef93

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/151382/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-06 08:13:02 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection