MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 652948efee89fdc5c6d3dc7f65a16aafabd0d224c9fcd55e5f86573f1b2c4aa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 652948efee89fdc5c6d3dc7f65a16aafabd0d224c9fcd55e5f86573f1b2c4aa1
SHA3-384 hash: 07c55dd9e29333cb8b9d83ced53df2c3089a33585a76f360232bf177d12b770f810911bc682576ca92a98bdd540851c3
SHA1 hash: f6d7d33b6a340d2c370ca31a6f9677a2e5306486
MD5 hash: 771508cf2751f6dabe05758e4fa25fdf
humanhash: purple-quiet-diet-july
File name:DHL Notice_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:255'238 bytes
First seen:2023-03-21 07:05:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6h4vRbB2TXukTFPqjpsaKncVt9l7GmmEE09z:/Yb4vRbB2Ldgjua2cplymmEE09z
Threatray 2'479 similar samples on MalwareBazaar
TLSH T16944124847E4E0BFE4A246701DFA62BA5BF4B52E9475410B63C02B697E726B15F0F332
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL Notice_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-21 07:08:35 UTC
Tags:
stealer formbook trojan
Link:
https://app.any.run/tasks/646986df-455f-4c25-a3a1-53248d286d20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/376113/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
DNS request
Sending an HTTP GET request
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/6419575d3b01ade53e6fee59/reports/2d9953fb-7228-45ec-9a3b-f02981ef9d2b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/652948efee89fdc5c6d3dc7f65a16aafabd0d224c9fcd55e5f86573f1b2c4aa1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4261621-9c56-43dc-b8f7-e9d508c95933
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1198274
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 831175 Sample: DHL_Notice_pdf.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 30 www.madliainsalu.com 2->30 32 madliainsalu.com 2->32 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 5 other signatures 2->54 10 DHL_Notice_pdf.exe 19 2->10         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\zkvixbqxp.exe, PE32 10->28 dropped 13 zkvixbqxp.exe 1 10->13         started        process6 signatures7 68 Multi AV Scanner detection for dropped file 13->68 70 Detected unpacking (changes PE section rights) 13->70 72 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->72 74 Maps a DLL or memory area into another process 13->74 16 zkvixbqxp.exe 13->16         started        19 conhost.exe 13->19         started        process8 signatures9 40 Modifies the context of a thread in another process (thread injection) 16->40 42 Maps a DLL or memory area into another process 16->42 44 Sample uses process hollowing technique 16->44 46 Queues an APC in another process (thread injection) 16->46 21 explorer.exe 3 6 16->21 injected process10 dnsIp11 34 bohndigitaltech.com 162.241.24.110, 49708, 49709, 49710 UNIFIEDLAYER-AS-1US United States 21->34 36 kunimi.org 219.94.129.181, 49702, 49703, 49704 SAKURA-CSAKURAInternetIncJP Japan 21->36 38 11 other IPs or domains 21->38 56 System process connects to network (likely due to code injection or exploit) 21->56 58 Performs DNS queries to domains with low reputation 21->58 25 cmmon32.exe 13 21->25         started        signatures12 process13 signatures14 60 Tries to steal Mail credentials (via file / registry access) 25->60 62 Tries to harvest and steal browser information (history, passwords, etc) 25->62 64 Modifies the context of a thread in another process (thread injection) 25->64 66 Maps a DLL or memory area into another process 25->66
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/652948efee89fdc5c6d3dc7f65a16aafabd0d224c9fcd55e5f86573f1b2c4aa1/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-21 04:08:59 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=muuur37orh64lrwt3r7wlilkv6v5burezh6nkxs7qzlt6gzmjkqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1682bd22bd27dd3a278554973648ee1bc62d456a029aefb95ec7dcecdb23e235
Formbook
3353243680817a9543a9cd91723d5452591805ff28f458d740c0f94e85ea62e5
Formbook
4adcc8ef0f0f441cf8e44f0c3c446f620409dbf79353811fa4d6526c6752f6ae
Formbook
5f2de407396cfb921e5db52d5efb0fbfd44e7257630b079e02f83a1ed61ab4b4
Formbook
652948efee89fdc5c6d3dc7f65a16aafabd0d224c9fcd55e5f86573f1b2c4aa1
Formbook
88043d723394b97599313522b0a2f599f8678529ba0febfebb6642cc966bde94
Formbook
b819e0dd1a5dc229d16fa74251262ce7fdd7581a71f66c9dec61149a7c4c7a76
Formbook
bcfc27ac62a86bb98e019ba5eb2c6032fd5a56f6aacee84974b07217c2c1fe7f
Formbook
cc83e0a51f3dcd04a4c9b1a2ba3049227459cac541da52b518ee5ebcfbed4796
Formbook
e904274bd2e5d919c63c6db8c82f908abc10d65fdba772596e2953ab708b1726
Formbook
+ 2'469 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230321-hw3sqahb62/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
e05af06d3928d4583c5b2b2c433b9189411eb48f39d5cbaafed06f5cb27b3b20
MD5 hash:
be5a6985bcdca9064a05d26cfb8d082e
SHA1 hash:
5eb04d667d4e5a5b453ed028083423fa810ea5c4
Link:
https://www.unpac.me/results/41db17fe-6988-4297-a832-e767b0eb51fd/
SH256 hash:
652948efee89fdc5c6d3dc7f65a16aafabd0d224c9fcd55e5f86573f1b2c4aa1
MD5 hash:
771508cf2751f6dabe05758e4fa25fdf
SHA1 hash:
f6d7d33b6a340d2c370ca31a6f9677a2e5306486
Link:
https://www.unpac.me/results/41db17fe-6988-4297-a832-e767b0eb51fd/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/652948efee89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar e5dcec3e5e5f9efeb20bdc63ef435653560e9704e2895ae77457266c7ec8ff3b

Formbook

Executable exe 652948efee89fdc5c6d3dc7f65a16aafabd0d224c9fcd55e5f86573f1b2c4aa1

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e5dcec3e5e5f9efeb20bdc63ef435653560e9704e2895ae77457266c7ec8ff3b
Cape
Cape
https://www.capesandbox.com/analysis/376113/
  
Dropped by
MD5 03ecb3a5a2aff490f00d04a40f53c194

Comments