MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 618462a0d05a4e42a016245e5c88383eb15f836df641eb846da7951b437a0d17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 618462a0d05a4e42a016245e5c88383eb15f836df641eb846da7951b437a0d17
SHA3-384 hash: 8a8e58b05ef4328100939d64379fd05cab589922a741dbe552377d71487c536ad407eaa33fe48047303e07982a89c37e
SHA1 hash: de1431b82e881c9d8dc56f5fb9bf085b96bce4c8
MD5 hash: a223798ae4f6009ea0132c8dce05375a
humanhash: october-california-table-island
File name:DHL DELIVERY DOCUMENTS.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:562'678 bytes
First seen:2022-06-09 06:30:08 UTC
Last seen:2022-06-11 07:36:51 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:LG44pjTgWMTsdl88QsfPS/Vyzhx8/GWIKNauJioFVjcJnK69:qfgWMyvSVyzhx8/4u0rp
TLSH T143C423B29276D1FE69DB1F2E46C91BC0E1E114F02EE1FE93513B086E766C391A39184D
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:DHL FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""DHL Express" <Arom.Kim@dhl.com>" (likely spoofed)
Received: "from mageneet.com (unknown [194.31.98.179]) "
Date: "10 Jun 2022 06:14:10 -0700"
Subject: "RE: FW: DHL Shipment Arrival Notice, S2104751056"
Attachment: "DHL DELIVERY DOCUMENTS.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs1151.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a193e64c4e28fcf3baaf45/reports/0127901d-6811-42d6-884c-b40ba6553658/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/618462a0d05a4e42a016245e5c88383eb15f836df641eb846da7951b437a0d17
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/618462a0d05a4e42a016245e5c88383eb15f836df641eb846da7951b437a0d17/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-09 04:27:31 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mgcgfigqljhefiawerpfzcbyh2yv7a3n6za6xbdnu6krwq32bulq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:be3s loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220609-g92l5sgdhl/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/618462a0d05a4e42a016245e5c88383eb15f836df641eb846da7951b437a0d17

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 618462a0d05a4e42a016245e5c88383eb15f836df641eb846da7951b437a0d17

(this sample)

Formbook

Executable exe f1be2db60134609b6b4638724ce8c13097d52ee542f01eb4f9cc50723388b3aa

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f1be2db60134609b6b4638724ce8c13097d52ee542f01eb4f9cc50723388b3aa
  
Dropping
Formbook

Comments