MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f22638781b28d9e3675562cf51489eca061600d6b62ea2f16c945649553e2d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	5f22638781b28d9e3675562cf51489eca061600d6b62ea2f16c945649553e2d7
SHA3-384 hash:	1807147d2285f96a1cb6fc899b01192962d0053fa25974322913d402b7c21da5fc57e0e447a863d9aac2722cad9d0980
SHA1 hash:	aeeb867bf3017c9c64edacafb5cd1a05fc4eec84
MD5 hash:	977a0db9d0b846b49e0c02ff7756556b
humanhash:	river-rugby-hydrogen-august
File name:	DHL_SECURED_04082020-04082020.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'166'848 bytes
First seen:	2020-08-05 11:55:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'655 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	12288:ZvwuKhFoCto/h7++H0AvegL8gjkpMeB3JrFN51keZWX86klTc4Iocp8b3Fcp8b3L:ZIunDH0GluM4f71kzgTctpwKpwFAyX
Threatray	5'092 similar samples on MalwareBazaar
TLSH	D445D0617984DF9DC82E0F3074636400EBE1AE560E06F64FACD679EC5BFA6494E1A30D
Reporter	abuse_ch
Tags:	DHL exe FormBook

abuse_ch

Malspam distributing unidentified malware:

HELO: server.macartajans.com
Sending IP: 89.252.130.69
From: noreply@dhl.com
Subject: DHL Express Shipment Confirmation
Attachment: SECURED_DHL_PACKAGE_DETAILS.IMG (contains "DHL_SECURED_04082020-04082020.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

82

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/39517/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/411096

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/5f22638781b28d9e3675562cf51489eca061600d6b62ea2f16c945649553e2d7/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2020-08-05 05:22:29 UTC

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l4rghb4bwkgz4ntvkywpkfej5sqgcyannnroulywzfcwjfkt4llq._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

Similar samples:

07f7b852dc1cd3c5527fef6c09019b723a9e17ddc6b236c16e992784940b7a81

0bf6ccdd920a50186f7318c51564ecc8f502302b084a5fda3feadb0d51e40f24

11ed9b9e406c0dd0f8eebc68a84ed4790d73d051584206acce260627390ec049

19f43d1f8fd11eccbdb2d9ce05a16983fe394cbd92943bc57943e4bbbb686687

1e82d551bb0693edad6a527c0355b59476d25afc326168b616205fe186ca5a30

567501cea05864d3014fb29cd4d74eb3e18dfdfb73f0669f5c0592fc73779afc

70ecffff57ecd39682bc7de003d937b43d0b0c9bfaadd315d236627475608e54

7eb341c011c4ea364ef927cfc57ac980111e9c49012834c3760896fec7f04d52

aa75e63b890a713e629ed607eb77aceb60982bd0027a9189893c0ac63827f116

b2528047a7c839ca84e666660705feb2bcda640a0d5686d063406446176f3cc0

+ 5'082 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/200805-l86y2d14ge/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5f22638781b28d9e3675562cf51489eca061600d6b62ea2f16c945649553e2d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img a857d5e29f5154800d0000b79d3bd4f0e967242eda957c5f175c239840280716

exe 5f22638781b28d9e3675562cf51489eca061600d6b62ea2f16c945649553e2d7

(this sample)

Dropped by

MD5 fa581b9ad166b224147db3ffa789b479

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/39517/

Dropped by

SHA256 a857d5e29f5154800d0000b79d3bd4f0e967242eda957c5f175c239840280716

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample