MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c205cffc83f7be274773fb1c3aa356b29d97e4d62a83e79c5fd52eadc3ed695. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c205cffc83f7be274773fb1c3aa356b29d97e4d62a83e79c5fd52eadc3ed695
SHA3-384 hash: ae43b2df7a9ea2c0097117c221959aa88a4b94e892713479f47436084232f2bc612fdc32d08393edf81df5494f83fa95
SHA1 hash: d0593187a473a19564a67819050023c9144b30c2
MD5 hash: 749dfc8bf52422ce77ed59a60c2f395e
humanhash: pluto-robert-foxtrot-carolina
File name:DHL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:720'384 bytes
First seen:2023-04-19 13:11:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:JZBO5ZZC/W2n9q91gO07uUxLq4Hy0xV8iCYDXkKCPdJWHroXUC:JZqTC/fCE7H5SYDXkKCPdJWHroXX
Threatray 2'590 similar samples on MalwareBazaar
TLSH T1BEE4019C93A5D6ABC1A80FBC402AA1842B749DE73936C23DDFC7744DBB73B041895A47
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b42549516949694d (7 x Formbook, 3 x GuLoader)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
US US
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL.exe
Verdict:
Malicious activity
Analysis date:
2023-04-19 13:13:56 UTC
Tags:
stealer formbook trojan
Link:
https://app.any.run/tasks/3e713601-f2d2-47b7-82ff-057e04ea51db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/383289/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643fe8a4000396b4e9997900/reports/afd4ff09-4294-4d32-b5e6-07fe3ec827ad/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5c205cffc83f7be274773fb1c3aa356b29d97e4d62a83e79c5fd52eadc3ed695
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f569a3d-b7d5-4f18-9203-c221df9e7579
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217558
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 850497 Sample: DHL.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 31 www.necessarymusthave.shop 2->31 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 3 other signatures 2->43 9 DHL.exe 3 2->9         started        signatures3 process4 file5 23 C:\Users\user\AppData\Local\...\DHL.exe.log, ASCII 9->23 dropped 53 Injects a PE file into a foreign processes 9->53 13 DHL.exe 9->13         started        signatures6 process7 signatures8 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 2 1 13->16 injected process9 dnsIp10 25 www.superios.info 184.94.212.57, 49701, 49702, 80 VXCHNGE-NC01US United States 16->25 27 www.gestionamostualquiler.org 46.30.213.145, 49699, 49700, 80 ONECOMDK Denmark 16->27 29 11 other IPs or domains 16->29 33 System process connects to network (likely due to code injection or exploit) 16->33 35 Performs DNS queries to domains with low reputation 16->35 20 cmstp.exe 13 16->20         started        signatures11 process12 signatures13 45 Tries to steal Mail credentials (via file / registry access) 20->45 47 Tries to harvest and steal browser information (history, passwords, etc) 20->47 49 Deletes itself after installation 20->49 51 2 other signatures 20->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c205cffc83f7be274773fb1c3aa356b29d97e4d62a83e79c5fd52eadc3ed695/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqqfz76ih556e5dxh6y4hkrvnmu5s7snmkud46of7vjovxb622kq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c5bd52278038e9194792544aa9ba56fa2fc62cdd74b5f5e47d8ab6ee7db5d0e
Formbook
17483ba2526d9ba490c29dc88e5c1a066b0c26f22243e02d312542a53f292393
Formbook
4a5ee921941ba55cd069a52fc95732b78f4c430a28236c3bd752ac350e4ffa79
Formbook
5e86212f51e61517dde3cc7d0c36b73a392816d73e18bd14d83b374bcf17ecf5
Formbook
7a0e239373c991f758c18775dd9fe07f62c6eb0ed45e74af677352f92bb457f2
Formbook
80c6293d18c38b686ea6ab60d134247f8d72553be2d20a305b94c78115227667
Formbook
a3225cdecee4f51aef9815859cdbaa70d5ce3b5e97d52518a5e0c5e2ac5deb12
Formbook
e014baadd84bece77f1f8366ea528671bf0bd70fcee974fe1a262bb0ec0a2565
Formbook
e33b0f4ba7b4fdf2db2287038d614e269eb88959acd1c6937882ad6a977d6e5b
Formbook
f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad
Formbook
+ 2'580 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230419-qfg53saf72/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
47bd779a5befbead72c8229d574458242d050103404ac06718eab4be2cb39307
MD5 hash:
6bda7577ac99ef30fb7140b457e9d71e
SHA1 hash:
047e8a9766421dfff781cba58004bb404a1d826c
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/f2038594-ed0e-413c-a7e9-fc337bf66965/
Parent samples :
f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad
e33b0f4ba7b4fdf2db2287038d614e269eb88959acd1c6937882ad6a977d6e5b
5c205cffc83f7be274773fb1c3aa356b29d97e4d62a83e79c5fd52eadc3ed695
24f98f7fef3de7a8c4ae83117f7fed32c749684bc87cdcc7d1c96236d7278e03
0fdc5a8bd9026a352ad7c986e4c690f7a85924235ef648a2a313f12f9ea885d5
67c1c8e08ebe65a80ae06b9d4011567f4cd8d1e05479b88e061a818dfe467493
37dd8f68f4822145ca8fbc462d106ae15fecb420f910b5c122d0a3fc0272265a
SH256 hash:
d5ae693ca9561d9b6756f25f0d88573e4b10287ce2dde30993303ececbe9e780
MD5 hash:
644813507d720f1ecb69c1fb563491c1
SHA1 hash:
2d1e046b4160bcc1b7f0e2cbefeeeaf6bc5ee11a
Link:
https://www.unpac.me/results/f2038594-ed0e-413c-a7e9-fc337bf66965/
SH256 hash:
5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2
MD5 hash:
b3bbc5461d12f07ea893bf415dfe7c89
SHA1 hash:
40c3156c471d2afe3fd88c7d20cf93e5782e1bd6
Link:
https://www.unpac.me/results/f2038594-ed0e-413c-a7e9-fc337bf66965/
SH256 hash:
fa9b6a22aa81fe68de0d8a04269391c68ead61ee1ca7ed3113e3fcf2c8dd0f8f
MD5 hash:
cfcc738282cdb94f6fdfab9f9f8008eb
SHA1 hash:
2cf24f8d309d8d68ac71910a2087f35b6b596c1c
Link:
https://www.unpac.me/results/f2038594-ed0e-413c-a7e9-fc337bf66965/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/f2038594-ed0e-413c-a7e9-fc337bf66965/
SH256 hash:
d44042d9c1789961232fb78c15e9c25a52b528d5ca626dd88f9badb5b0112d8e
MD5 hash:
f5264407341ed521e6e7d06c803cffee
SHA1 hash:
1aab525e322884ff1194eabf7dec0a2170845764
Link:
https://www.unpac.me/results/f2038594-ed0e-413c-a7e9-fc337bf66965/
SH256 hash:
5c205cffc83f7be274773fb1c3aa356b29d97e4d62a83e79c5fd52eadc3ed695
MD5 hash:
749dfc8bf52422ce77ed59a60c2f395e
SHA1 hash:
d0593187a473a19564a67819050023c9144b30c2
Link:
https://www.unpac.me/results/f2038594-ed0e-413c-a7e9-fc337bf66965/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5c205cffc83f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c205cffc83f7be274773fb1c3aa356b29d97e4d62a83e79c5fd52eadc3ed695

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/383289/

Comments