MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67388fca813133367167001c4114d6cd97b4bed24d0acdfda8b5784723a698ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67388fca813133367167001c4114d6cd97b4bed24d0acdfda8b5784723a698ea
SHA3-384 hash: 13320e44650b02c3ea5a653cde5980803e6b75437987930bf29e7fcd51b7355438d0391623cb750c00505308a91936dc
SHA1 hash: def33ebdec7c1246760c4315d7ef53c20d5bd3f3
MD5 hash: 470c86b09a464fbc811c22ca4c135f91
humanhash: pip-fillet-east-stream
File name:HBL+MBL shipping advice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'418'752 bytes
First seen:2023-01-05 23:17:43 UTC
Last seen:2023-01-06 10:51:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:5JCA7cQbCQJuUH2p6lQ4nNBX3K6tGdZiJ:nkUHtBK5
Threatray 898 similar samples on MalwareBazaar
TLSH T1E3657C2439FA501AB173EFA68BE479E6DA6FBB333B07A45D109113860723A41DDC153E
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 9aa28a92b6a08e8e (5 x LgoogLoader, 2 x Formbook, 2 x AgentTesla)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
HBL+MBL shipping advice.exe
Verdict:
Malicious activity
Analysis date:
2023-01-05 23:21:46 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/9b4f2dc8-c8e0-41b1-9576-32aac9c67a4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/349831/
Detection(s):
Sanesecurity.Rogue.0hr.20230105-1534.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Forced shutdown of a system process
Query of malicious DNS domain
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
msiexec.exe packed
Link:
https://www.filescan.io/uploads/63b75aab40e878e304230320/reports/cd408e56-3ffc-4293-bc3b-20d37088c42d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/07cda732-531a-495c-9c23-aa221224eb5f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145973
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 778705 Sample: HBL+MBL shipping advice.exe Startdate: 06/01/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 6 other signatures 2->42 8 HBL+MBL shipping advice.exe 4 2->8         started        process3 file4 28 C:\Users\...\HBL+MBL shipping advice.exe.log, CSV 8->28 dropped 54 Writes to foreign memory regions 8->54 56 Injects a PE file into a foreign processes 8->56 12 AddInProcess32.exe 8->12         started        15 conhost.exe 8->15         started        17 SMSvcHost.exe 8->17         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 12->58 60 Maps a DLL or memory area into another process 12->60 62 Sample uses process hollowing technique 12->62 64 Queues an APC in another process (thread injection) 12->64 19 explorer.exe 12->19 injected process8 dnsIp9 30 www.ombqe.top 154.82.93.7, 49701, 49702, 49703 ROOTNETWORKSUS Seychelles 19->30 32 chaatfunnnet.skin 63.250.38.159, 49697, 80 NAMECHEAP-NETUS United States 19->32 34 6 other IPs or domains 19->34 44 System process connects to network (likely due to code injection or exploit) 19->44 23 colorcpl.exe 13 19->23         started        26 autoconv.exe 19->26         started        signatures10 process11 signatures12 46 Tries to steal Mail credentials (via file / registry access) 23->46 48 Tries to harvest and steal browser information (history, passwords, etc) 23->48 50 Modifies the context of a thread in another process (thread injection) 23->50 52 Maps a DLL or memory area into another process 23->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67388fca813133367167001c4114d6cd97b4bed24d0acdfda8b5784723a698ea/
Threat name:
ByteCode-MSIL.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2023-01-05 10:50:01 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
19
AV detection:
14 of 41 (34.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m44i7subgeztm4lhaaoecfgwzwl3jpwsjufm37niwv4eoi5gtdva._file
Verdict:
malicious
Similar samples:
17fad325e9717e20c930f698f08f711320a505560e239b5de9df67c62258a3bd
Formbook
2b073d2e7346d127fc364606a3f875936dc9122763f324e449663da114040c98
Formbook
901112dd590ebf7bb0314c090a66522540e27d7ae769f2030ac47e3046f5d313
Formbook
9704c9bdcc0aceb98f97297ba82c93ba0ca396bdc02417bc75976de299ab52a3
Formbook
9d9849b524012665ec0676be4eb85efcd6d51bf1dd4a68c13f364f6e74c4bc60
Formbook
ac1bbc53ec6158d8dfa191b81292c96d8fb106d4ea196a6bef55027e0702b6f9
Formbook
b0e2ee5d5dcf0c508bd3f0d3016bc483d880ae94120fe214a4bff996bcc074aa
Formbook
d1ca3f8fb1acd28ee6ce1227880e74fca8aa908ca373931a5180f3cb76bb8fe1
Formbook
dc72c7525da8aa1afaadaf707499054dd9be20d0c78318d2f63af1fa37d58546
Formbook
fcfe4c075c3b67f661de261a2f05ce34d1b9b150c286c67a3da085b006ae7b3c
Formbook
+ 888 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230105-299b7shb9t/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2f24730d-c447-436f-862b-2cbf5dc85f39
Unpacked files
SH256 hash:
67388fca813133367167001c4114d6cd97b4bed24d0acdfda8b5784723a698ea
MD5 hash:
470c86b09a464fbc811c22ca4c135f91
SHA1 hash:
def33ebdec7c1246760c4315d7ef53c20d5bd3f3
Link:
https://www.unpac.me/results/28bd4d66-a972-427a-bcda-bf589ce2a2be/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/67388fca8131/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/67388fca813133367167001c4114d6cd97b4bed24d0acdfda8b5784723a698ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 42446279d5d4fb0d3648e43654ed0442b5b17b6ea59833845adc901030b79aa5

Formbook

Executable exe 67388fca813133367167001c4114d6cd97b4bed24d0acdfda8b5784723a698ea

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/349831/
  
Dropped by
SHA256 42446279d5d4fb0d3648e43654ed0442b5b17b6ea59833845adc901030b79aa5
  
Dropped by
MD5 c8228d7231c79c4dfcd447a8056b0cde

Comments