MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9
SHA3-384 hash: c12c654be2f41168a2859dadc281bfac43d995149b0b8b4a3ebc4aa84eac52dca2f23c6eb850645d6bcb68537754bd4f
SHA1 hash: 168679807c96c893221252a50d8884760e29ac49
MD5 hash: 81a5c535b46c2a330913597e8f888f25
humanhash: quebec-cola-nevada-aspen
File name:(DHL) Original BL, PL, CI Copies.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:388'414 bytes
First seen:2023-09-29 11:28:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep 6144:BnPdudwDsOGVkx6NDrYDo82AN2B1LUYuhrCd/uAkDR1FyENc/LRxJW6ah4U73C9S:BnPdwOxxCDvAN2B1KChuAk1jWrJWPpyS
Threatray 136 similar samples on MalwareBazaar
TLSH T1838423F023CC54FBEC6357B09D37E5365AA96A1300E0721A67252FD43BB52429E1E7A3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451928/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1550.24204.1712.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Likely Malicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6516b4ff32ffdb7a7a18d0df/reports/16a35c09-14c4-40c5-89de-344617c570af/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd420e42-cc52-4dc5-9ffd-af31299f1298
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316450
Signature
Antivirus / Scanner detection for submitted sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9/
Threat name:
Win32.Trojan.Garf
Create hunting rule
Status:
Malicious
First seen:
2023-09-28 14:01:33 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfi456aaq273ftq4xmliajqs4m3gkjnkst26xthtklbxmg6pcxmq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8
Formbook
1f9a84f1b9a2d6e91efcf84470f260e867ac8c2a6c42109ceae024d9f370cd8f
Formbook
314b0463e6de6de56467f023dd2ddbf799d883e2e65552ddf2b87f607eedc5ae
Formbook
50f83575bd53ca54e6cccc82a0c6e2cf51947f2af2284701916e87500271e0e1
Formbook
58357272406c20e677f34777d792bdecc67f8502616621858a609d9cd8e3bd7e
Formbook
8326158d0aea2a3ee6a49cc3f88e1c3779eb479790a8b0451133a09c1ca0a777
Formbook
b47036189825426c6e368fd21594aaba8dbdcf573464d2939f99da44c9874b97
Formbook
becae35d75141130a7aedcba04c2161c38b3664e82dbdca5ba6a595db6c36789
Formbook
ddaf7103efc84cb134bee71c72019484a149adfdb7e6af9e3f08eebfe0e5a2d5
Formbook
f031fa03b61bd7a49d1500d642e46b4701c6ed40f34a3dc063c4404c7fd5de95
Formbook
+ 126 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230929-nlkr2sbd63/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
38e5fd58c7a41df7f5bdd0b4da74ba20a43a48bff92b36f4f1d215fe6c1b8f24
MD5 hash:
249fc0616b7d71b8fa6cb6228c706f82
SHA1 hash:
10d99aed3d2f47b89b8deca25d9b630efebabc15
Link:
https://www.unpac.me/results/9b8efcef-b853-40e6-9066-655043d210ef/
SH256 hash:
5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9
MD5 hash:
81a5c535b46c2a330913597e8f888f25
SHA1 hash:
168679807c96c893221252a50d8884760e29ac49
Link:
https://www.unpac.me/results/9b8efcef-b853-40e6-9066-655043d210ef/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5951cef80086/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/451928/

Comments