MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bc2162ae0ae133d359603b912865d8ed2f26029421a7dcfcf734f2aee216923. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bc2162ae0ae133d359603b912865d8ed2f26029421a7dcfcf734f2aee216923
SHA3-384 hash: 710861279d25a94f1832faf25cccf6141d214078de6a34175fc603a541abed71cb6b6e5670b7aa401167f209308865d6
SHA1 hash: 7b5b0ae5a30e30f17e5748ce7cba6c5d50a7179b
MD5 hash: 5fb3da03451cc7f5cffe0105cd01729d
humanhash: stream-hot-march-helium
File name:DHL Express Shipment Document.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:857'600 bytes
First seen:2023-07-31 07:18:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:sizoXMRjVz12yX+6x1dD+zFKfrja2Y3dW54Y1JBYI:+uhzZxn6Kjgk4UEI
Threatray 3'436 similar samples on MalwareBazaar
TLSH T1ED05B77804BB4E62C221D2BE6AC5E53FF6415CB6611C8D5B529A6F870E03D372C9EC2D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Express Shipment Document.exe
Verdict:
No threats detected
Analysis date:
2023-07-31 07:21:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c366b2ec-317c-4ade-b2d1-8146a668cdfa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439335/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.4298.1021.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64c76067907b8030b17d1380/reports/60e0e23e-e625-4c17-9322-61993e6e8567/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4bc2162ae0ae133d359603b912865d8ed2f26029421a7dcfcf734f2aee216923
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/340b0a62-2370-40be-804b-5c9784267dc2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1282972
Signature
.NET source code contains very large strings
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bc2162ae0ae133d359603b912865d8ed2f26029421a7dcfcf734f2aee216923/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 07:19:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jpbbmkxavyjt2nmwao4rfbs5r3jpeybjiinh3t6ponhsv3rbnerq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01b671890aaefc4af8c91936da19e526f9b104c0a0db0b82734b3328359da0cb
Formbook
2f4e4ad21cf764b8c109f7dd4ac1e328fb144ad3fd91d692fe1f992f236ee540
Formbook
512861c49503d13c3c1e7c1fff398054eae819195f839aafd803c853cd25143a
Formbook
56ad658ef29551d86add3dc7f16538402f1d894ec746bdf14444a4b01deabda4
Formbook
73ff2753b011fd1295ce8a2ca311a308bdc993e95258fe0b93ee353b08e58403
Formbook
99bb71c925f112035797c13df8af4106c78c305aecea027583007145fce87de7
Formbook
9bc85e2d8b9379ab4b4a7a165602aa01a3251bd131a10d3cc67f494c3a46aced
Formbook
eb9bb2864bcf714084d8b6c2d9dbcf55a30727c8e87d66eef592048dab10dead
Formbook
f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1
Formbook
fe612af3d7883a25ca19eca8440e32741aa66e69c80a7275a13bdd91023399c6
Formbook
+ 3'426 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230731-h5htxadc47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
0a715e9748587e85691c13f847a8e1bfa219db51434caa70fa0ae89ee3e85ac5
MD5 hash:
f00c7ba26caad0623f198080c2e0acde
SHA1 hash:
34877efef97e197b106efda6131089696334145a
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7b3045fc-03f8-46fb-b29e-b8c661036114/
Parent samples :
4bc2162ae0ae133d359603b912865d8ed2f26029421a7dcfcf734f2aee216923
73ff2753b011fd1295ce8a2ca311a308bdc993e95258fe0b93ee353b08e58403
bdf513cd2e97cb60bc6497c6a6155aa36ab7a32636b3f7d87715f988cd68feab
0fa6047b89faa0096bac58ca8733687cd676b31cd75675654e4e0343ca8ae8c6
131c69adaff732d878e0396149be53da15e8e155daafe995259385c6c28f605b
74eb5168cf1f711833750d0e0f5a25a97cceda943944da21ecc8f1b697ab4e43
41b09d1202db4dfb8db58a5cd9f68953db7d7547fab1c76234b3dd95cfac318e
2d504d5142b27bb57b54d806c01d890fafcc5ba3e41a9a38094ae426c63fb362
SH256 hash:
70f1f71c4ef3234d5a68ec1c7b4455f07031fa44980021d42576798f8008d718
MD5 hash:
d8268f5fb982dc3e522ea4e800edfe56
SHA1 hash:
aa8d82f98d2f3a7df63e7f632a39dffcbefa10a2
Link:
https://www.unpac.me/results/7b3045fc-03f8-46fb-b29e-b8c661036114/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/7b3045fc-03f8-46fb-b29e-b8c661036114/
SH256 hash:
0b21c2aa6d9b8f807ff7171103c0d3311a852223f66c22c0223d2044dfcd8e60
MD5 hash:
d80ad864ea9b71a6f27a19209a17b26a
SHA1 hash:
33b7929963dba2dd3800a6e5ab8c530cb9cbd3ba
Link:
https://www.unpac.me/results/7b3045fc-03f8-46fb-b29e-b8c661036114/
SH256 hash:
decfa1dde998755b2d6d42e8ca9485238c65cf4ffb389ac33069d6b1f4a5ea5d
MD5 hash:
eaf13cc01dd66337823f7133ed2e3055
SHA1 hash:
1a5433bd0734289270a667d2f3d4fd138cb572e6
Link:
https://www.unpac.me/results/7b3045fc-03f8-46fb-b29e-b8c661036114/
SH256 hash:
4bc2162ae0ae133d359603b912865d8ed2f26029421a7dcfcf734f2aee216923
MD5 hash:
5fb3da03451cc7f5cffe0105cd01729d
SHA1 hash:
7b5b0ae5a30e30f17e5748ce7cba6c5d50a7179b
Link:
https://www.unpac.me/results/7b3045fc-03f8-46fb-b29e-b8c661036114/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4bc2162ae0ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4bc2162ae0ae133d359603b912865d8ed2f26029421a7dcfcf734f2aee216923

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439335/

Comments