MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f633ef17fcbc3f2f34548cbf4af305f64873fefa7af6d3bcbde2b070b31f8a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f633ef17fcbc3f2f34548cbf4af305f64873fefa7af6d3bcbde2b070b31f8a3
SHA3-384 hash: e0ce568a06f504219e40ee5edb301ad0be3d0ae777c8e1ab422e89b3b34e25fa0783d6f01304b8f82bd56f9158a578e3
SHA1 hash: 92ffa221871ac5e06f922fab78612cab719d1ea3
MD5 hash: 74ff75428def775b6923837c23b0de18
humanhash: lamp-alabama-july-hamper
File name:DHL-ONHOLD-RECIEPT 7807431483.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:788'992 bytes
First seen:2022-03-16 07:58:38 UTC
Last seen:2022-03-16 09:30:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:KOzZwOEKmHM9hkjCF84MoZ1VfF93jJk8fj52Iz1f0Rxnu+yz:KOzZwO5mggCFBFFFffxf0bLq
TLSH T13AF4122433E8DF56EFFE8E3AF43115151732E35A74A2E36E5995A8FE1A93B54000039B
File icon (PE):PE icon
dhash icon 80c4ececececc480 (6 x AgentTesla, 5 x Formbook, 5 x SnakeKeylogger)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/251256/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.26272.5541.9920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33fdfdcc-ea32-4ff0-ab33-95763aeea915
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/957764
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5f633ef17fcbc3f2f34548cbf4af305f64873fefa7af6d3bcbde2b070b31f8a3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-16 08:01:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5rt54l7zpb7f42fjdf7jlzql5siop7pu6xw2o6l3yvqoczr7crq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:private rat spyware stealer trojan
Link:
https://tria.ge/reports/220316-jvfggahbfq/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook Payload
Formbook
Unpacked files
SH256 hash:
902abd029c2ffb3b0caec8ad8edd214b64f9756ce53a58b6b066769dd5c8a805
MD5 hash:
cf9002f69be94066950b8d62ad2623ec
SHA1 hash:
7ac3b755606730ace44f5fb491a376eec064d473
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bf65518f-dc6d-49aa-9c21-9275b74a7c1c/
Parent samples :
5f633ef17fcbc3f2f34548cbf4af305f64873fefa7af6d3bcbde2b070b31f8a3
a6c9d8fdd84cae9e61caded848605b1b3da4ea05a7d20d74400053cdedf0850d
e320d82067b3b2fe0cd1d0b8c0655f8c974b60c4a1834b37a51d6170c615edc3
3e71d457ca114497a6b54846e2f6d571db0619199c046d4fed20bbc93d50e7bd
8636859de5eb225cb108b7d095f229e68293c827e565eda640d97ddcab6b6135
02dd876edf632bdebf413acf1ab9d1087c4ce9989d46e527d8a6ec5111862e08
SH256 hash:
96c53cefa482d6ddbefa24c4be9fa1cee04090d60f851eee3b6fe38413c19be3
MD5 hash:
9ec2aacbd845d183166661c9276d5b31
SHA1 hash:
fd8cc64d8367b6d65a63308177af1a2ef0b98cba
Link:
https://www.unpac.me/results/bf65518f-dc6d-49aa-9c21-9275b74a7c1c/
SH256 hash:
4ffb59b76867dc3ee5df8b1476a82043c8bbfa9679aa90a2e4b937292b3722b8
MD5 hash:
fc6d91ff314356715f5c76ba61240c9f
SHA1 hash:
aac8291f9af1c2e18b8302550ee4d1c96120949a
Link:
https://www.unpac.me/results/bf65518f-dc6d-49aa-9c21-9275b74a7c1c/
SH256 hash:
cb892cb360d0ec68f258125e3d9c36ab225ae586a72cbdd928e3d8abb311f4c8
MD5 hash:
899eb141139b1b8bf3b3f6c1f43e1df7
SHA1 hash:
676be0db83d6818a6bd79d51abdb5e459705ddca
Link:
https://www.unpac.me/results/bf65518f-dc6d-49aa-9c21-9275b74a7c1c/
SH256 hash:
5f633ef17fcbc3f2f34548cbf4af305f64873fefa7af6d3bcbde2b070b31f8a3
MD5 hash:
74ff75428def775b6923837c23b0de18
SHA1 hash:
92ffa221871ac5e06f922fab78612cab719d1ea3
Link:
https://www.unpac.me/results/bf65518f-dc6d-49aa-9c21-9275b74a7c1c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f633ef17fcbc3f2f34548cbf4af305f64873fefa7af6d3bcbde2b070b31f8a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5f633ef17fcbc3f2f34548cbf4af305f64873fefa7af6d3bcbde2b070b31f8a3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/251256/

Comments