MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60d08c361dfc327938059a2afd1ea0d102c6e24df503c7c6452f3add31297f37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60d08c361dfc327938059a2afd1ea0d102c6e24df503c7c6452f3add31297f37
SHA3-384 hash: c701ac8730dc9bb92542ace0301d7c636c4de37b8f99281a8232144b0afe9cd26846b036d928e040712c6b80f132c09a
SHA1 hash: 94011d49ec3c21fe858bd5b394bd5bd286788a2e
MD5 hash: 3e7cad35813f919d2ef89f15ca50de95
humanhash: nuts-carbon-nineteen-texas
File name:DHL Shipment doc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:766'976 bytes
First seen:2023-01-25 20:26:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Ub7iTIUo1A/J9sEl+sCRQKdna6ewbSTkeOfYO3I49/CHrxKUIQMsS:UviTIa9+sCRddna6e9TMY4AL
TLSH T1C1F4BEBC7794AD8EC0178FBB85542D00AA20F4B75F53F383A04B01599A1EBDE8E556E3
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 609e696169701000 (17 x AgentTesla, 5 x Formbook, 2 x SnakeKeylogger)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Shipment doc.exe
Verdict:
Malicious activity
Analysis date:
2023-01-25 20:27:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/62596fe1-b2ae-47d4-a53d-08e239bbec56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356834/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d190971c9cbf7d6252b4ec/reports/f8dc8d31-6d92-4781-bb3e-27054adbd52d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d0d2fed-0881-4a0e-bb3a-091f28ba2620
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159052
Signature
Antivirus detection for URL or domain
Deletes itself after installation
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 791797 Sample: DHL Shipment doc.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 100 24 www.addedinformation.com 2->24 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 5 other signatures 2->42 9 DHL Shipment doc.exe 3 2->9         started        signatures3 process4 file5 22 C:\Users\user\...\DHL Shipment doc.exe.log, ASCII 9->22 dropped 12 DHL Shipment doc.exe 9->12         started        process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 12->52 54 Maps a DLL or memory area into another process 12->54 56 Sample uses process hollowing technique 12->56 58 Queues an APC in another process (thread injection) 12->58 15 explorer.exe 2 1 12->15 injected process8 dnsIp9 26 detail.tips 37.97.254.27, 49726, 49727, 49728 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 15->26 28 ecomicsvilla.com 198.252.102.191, 49718, 49720, 49721 HAWKHOSTCA Canada 15->28 30 6 other IPs or domains 15->30 32 System process connects to network (likely due to code injection or exploit) 15->32 34 Uses netsh to modify the Windows network and firewall settings 15->34 19 netsh.exe 13 15->19         started        signatures10 process11 signatures12 44 Tries to steal Mail credentials (via file / registry access) 19->44 46 Tries to harvest and steal browser information (history, passwords, etc) 19->46 48 Deletes itself after installation 19->48 50 2 other signatures 19->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60d08c361dfc327938059a2afd1ea0d102c6e24df503c7c6452f3add31297f37/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 08:30:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
15 of 39 (38.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mdiiynq57qzhsoaftivp2hva2ebmnysn6ub4prsff45n2mjjp43q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230125-y8ejnacb2t/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
bd303fd2ab119ddc1607f2fbbaa7c6cd68bb011a00b2ace90b46e60d2f801ff2
MD5 hash:
20901cf4f458166b8169f41927064e85
SHA1 hash:
1a19b665a2e0c2c5866a48cbbca39cedc3dc211c
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/b79c538a-4534-4aac-b4e0-28a50b0cfdd6/
Parent samples :
60d08c361dfc327938059a2afd1ea0d102c6e24df503c7c6452f3add31297f37
2c66d41ea5a85fe54c36039b1a2636cb74b676a5a12341bdcab562c5a63a312a
7bf6863ca040ff44fef29dab94fd94341cbd0b67cc52f60c398a6cf6dd69090a
1c0a9c963662d8f1a32f87a3c33f14c5684707e97257a2583dbfa74c89e51800
SH256 hash:
1b546961ab8c72ebec9f56b58c384216186a4b6bf733152086f3914d32604951
MD5 hash:
d5ee852097264cc227344da230542e6c
SHA1 hash:
8a869fd5f0aba52ba289ec5541b0eef914bdaf71
Link:
https://www.unpac.me/results/b79c538a-4534-4aac-b4e0-28a50b0cfdd6/
SH256 hash:
02ea72259d6695f5ef92ef9c9bca36623868a1385a3534e7def5a20dbaf03252
MD5 hash:
d84ad4873bb3be51c7e5abe41e1e9a32
SHA1 hash:
b3eb6d7f30a22d360edc878ad9c04fe0f8311e4e
Link:
https://www.unpac.me/results/b79c538a-4534-4aac-b4e0-28a50b0cfdd6/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/b79c538a-4534-4aac-b4e0-28a50b0cfdd6/
SH256 hash:
0aa657731b2861e27800c1cdf25f4d3c9f76e896c7caf759e3cec14d81a80770
MD5 hash:
4252320553628759dcb2fdc15b5f644b
SHA1 hash:
7c1df8574096842c2351d18b0031c20f324e532b
Link:
https://www.unpac.me/results/b79c538a-4534-4aac-b4e0-28a50b0cfdd6/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/b79c538a-4534-4aac-b4e0-28a50b0cfdd6/
SH256 hash:
60d08c361dfc327938059a2afd1ea0d102c6e24df503c7c6452f3add31297f37
MD5 hash:
3e7cad35813f919d2ef89f15ca50de95
SHA1 hash:
94011d49ec3c21fe858bd5b394bd5bd286788a2e
Link:
https://www.unpac.me/results/b79c538a-4534-4aac-b4e0-28a50b0cfdd6/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/60d08c361dfc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/60d08c361dfc327938059a2afd1ea0d102c6e24df503c7c6452f3add31297f37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356834/

Comments