MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66ebf028ab0f226b6e4c6b17cec00102b1255a4e59b6ae7b32b062a903135cc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66ebf028ab0f226b6e4c6b17cec00102b1255a4e59b6ae7b32b062a903135cc9
SHA3-384 hash: b36ba0765c8a7d96adf4c9dca2cf1c2dba430a272b25a3c8f9793b80b56f925cbb7b94a9b5d7f5fe565a0e118b93e6c5
SHA1 hash: a9977b3ac94c0c7446dce767ba211517a05525d6
MD5 hash: 2d95b8d3a985b14415096eb1aca093e1
humanhash: red-georgia-robert-social
File name:PDF.DHLinvoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:832'512 bytes
First seen:2024-01-22 09:58:02 UTC
Last seen:2024-01-22 11:24:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:OWp+RJg9K4VefDOtUhA7LOzjV2/iKh3aMEepi8/ouYAeUmP:N0Jg93VShA7yzjE9KUpYJn
TLSH T10D057B40D1C9FCA9C00A11B69838F538751DF79D917BCC6A2E6EA149A0B7393706BF1E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d884a68e96a29acc (4 x Formbook, 1 x AgentTesla, 1 x RemcosRAT)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
360
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/472248/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65ae3c2e3b46cfd29c177e6a/reports/7dbb644c-fab8-4aa3-81e9-7040713c9f50/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/66ebf028ab0f226b6e4c6b17cec00102b1255a4e59b6ae7b32b062a903135cc9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43b2f802-db39-4e60-b532-31e61d447193
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1378632
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/66ebf028ab0f226b6e4c6b17cec00102b1255a4e59b6ae7b32b062a903135cc9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66ebf028ab0f226b6e4c6b17cec00102b1255a4e59b6ae7b32b062a903135cc9/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2024-01-22 04:24:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m3v7akflb4rgw3smnml45qabakyskwsolg3k46zswbrksaytlteq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240122-lzhhqsebc4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
c90aafffc74449a20a75bd64631e17ebf767a9dfc7a2e05529f2fd5f1edbdc5d
MD5 hash:
2c8567978d76ab0a80ecf58f89d52cad
SHA1 hash:
c035775046093078ffb9b6ca59e2cf84fb4d42e6
Link:
https://www.unpac.me/results/46d82614-c5d0-44b9-9e60-521a911a1e24/
SH256 hash:
974c15c1f79c2d06b0b2038628613a162104a8dbc688b060bf7653dca5cb9fa6
MD5 hash:
e67033bce0618dcabcc950ad1108dd59
SHA1 hash:
4a780217aa275a01037f13101b2508501162f57d
Link:
https://www.unpac.me/results/46d82614-c5d0-44b9-9e60-521a911a1e24/
SH256 hash:
38829b602b6884f805a06794878d6e59bb67aa11e12061ce7aae501516948771
MD5 hash:
bc61bdf81fc62d97b43259e39c48109a
SHA1 hash:
e53458984473f4f05e4c3f81c89e95134aed3a67
Link:
https://www.unpac.me/results/46d82614-c5d0-44b9-9e60-521a911a1e24/
SH256 hash:
292a0518841e86949acf831703623779d63591cc95ebc4030d00da3b72066c77
MD5 hash:
4d697347eedf1d51cc5fcf7a066621f1
SHA1 hash:
bb9398d6d9f9ff3c74aadee7cdac6e04fab4770d
Link:
https://www.unpac.me/results/46d82614-c5d0-44b9-9e60-521a911a1e24/
SH256 hash:
dd3ebaac516948c12c3193c6f4a9454d30c5997bf7c1d1a77bc5a6f3afbe2c1d
MD5 hash:
b77799e2e41bb2bcfbd13bf3f15e2684
SHA1 hash:
a6220442058d4040182f1a46c64fb73cd6217871
Link:
https://www.unpac.me/results/46d82614-c5d0-44b9-9e60-521a911a1e24/
SH256 hash:
66ebf028ab0f226b6e4c6b17cec00102b1255a4e59b6ae7b32b062a903135cc9
MD5 hash:
2d95b8d3a985b14415096eb1aca093e1
SHA1 hash:
a9977b3ac94c0c7446dce767ba211517a05525d6
Link:
https://www.unpac.me/results/46d82614-c5d0-44b9-9e60-521a911a1e24/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/66ebf028ab0f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66ebf028ab0f226b6e4c6b17cec00102b1255a4e59b6ae7b32b062a903135cc9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 66ebf028ab0f226b6e4c6b17cec00102b1255a4e59b6ae7b32b062a903135cc9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/472248/

Comments