MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
SHA3-384 hash: d91f4145c2aba7ead2f3e4548ef1e3c06c3a3149213ae5f89e66202710805fd9ab7eb4d952f26170ce0b1603c141ecdc
SHA1 hash: 68b1c17f382e51c661187086886dcd6f7ceba50f
MD5 hash: 0cb4a24adf5a4c9a27f152b3434f2733
humanhash: uncle-golf-early-mexico
File name:25_DB_DHL_AWB_001833023AD.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:663'552 bytes
First seen:2023-05-24 10:06:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:tUtPplTY6RhKuETt/pTnWl3c3gLFskVEP0gmAbWnxd/A+b8YghM1T:tUJTDEhxLQ3c2MOAKL/Tb8Y
Threatray 3'224 similar samples on MalwareBazaar
TLSH T100E423184AEE96ABC9EF6FF94000017151361A577910F3931DD777CDAF22B0A1B98EA3
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
25_DB_DHL_AWB_001833023AD.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-24 10:11:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/465c9f7f-e67b-4b15-b673-c4a578594574

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/391115/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.31799.16022.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/646de1c7cf634b8f311af81c/reports/2c265c19-ebae-486b-852b-4ed84fd01f84/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/14979389-0fa0-41af-8afb-f3a743282edf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1241499
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 874511 Sample: 25_DB_DHL_AWB_001833023AD.exe Startdate: 24/05/2023 Architecture: WINDOWS Score: 100 33 www.customscubadiving.com 2->33 35 customscubadiving.com 2->35 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 5 other signatures 2->49 11 25_DB_DHL_AWB_001833023AD.exe 3 2->11         started        signatures3 process4 file5 31 C:\...\25_DB_DHL_AWB_001833023AD.exe.log, ASCII 11->31 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 15 25_DB_DHL_AWB_001833023AD.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 4 1 15->18 injected process9 dnsIp10 37 www.authorizer.online 3.64.163.50, 49696, 80 AMAZON-02US United States 18->37 39 www.3dseal.online 18->39 41 192.168.2.1 unknown unknown 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 systray.exe 18->22         started        25 autofmt.exe 18->25         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 06:29:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nq66i7nn4sxmvmzheckbdfnol7ime5pwmnmmaxfqcfrpzdabrgzq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02b060c393fbc76a082ef0411f28e2be60bce1af80ea2df91f003e9b8a762b88
Formbook
1950034453da28649135d35016d5ab7ee791cd4bbbc1e4a72f7c56ce3aa9dd9a
Formbook
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
Formbook
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
Formbook
47c74b216015a03abc6bf2a786c4c760fe23f5ce920c9a0ed6e68aa340568e84
Formbook
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
Formbook
6f6635f95155f37d66c295977e973d28b681fb57fc50caf361e5e13f1037008a
Formbook
a28cb539852da2e100484ab8cee9613a28b2e68d409b99d80e27f4fb7f238b5d
Formbook
a8982b67f297cc68ff3f3de02cc7b60d51c8b4a3db85971ce4f73149fe67b6ee
Formbook
f071e06b294ad94e6c83f6b35a9700b8cb3df225e76096730a38567de1c50450
Formbook
+ 3'214 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:gg04 rat spyware stealer trojan
Link:
https://tria.ge/reports/230524-l5m1eabh79/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
f0c89477d579cf7dcb360eb8f30c168d46aba7b07a6dbec7296ccad60cfa5927
MD5 hash:
398ec82c3e278a425b2efc5c6c8a76ed
SHA1 hash:
416c6cd08e4076efab6f8b5e83679e5204a9d934
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/8a2f9cdf-1183-435d-97f7-4dc328ff5392/
Parent samples :
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
f94f83d21d367554ddd900c8d8e11a93330e951cfb04ea40c0d8ac5b326cf9b2
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/8a2f9cdf-1183-435d-97f7-4dc328ff5392/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb
MD5 hash:
de906fce89f615f303ddfb80c1b37b35
SHA1 hash:
3568e3f9f0731da9a3294f4f8de61f95dc3eec31
Link:
https://www.unpac.me/results/8a2f9cdf-1183-435d-97f7-4dc328ff5392/
SH256 hash:
0cab4b4394516b1e61543b96312aea3bf08df5093b86ea03ba2f27beaefaeda1
MD5 hash:
4058c0c817693d6990b4afc448597fd1
SHA1 hash:
2aa3f0f480121cfe9b167ac0dd9810453e421997
Link:
https://www.unpac.me/results/8a2f9cdf-1183-435d-97f7-4dc328ff5392/
SH256 hash:
0ae37954544f3fb7736966e78029ed1ee7ac4a57fb276e23d6b242bd96e7723f
MD5 hash:
db8491e2e9f24ed24a75f4124888e885
SHA1 hash:
040fd78064a35e3b25a49b9f9be9791b1bb4d9f1
Link:
https://www.unpac.me/results/8a2f9cdf-1183-435d-97f7-4dc328ff5392/
SH256 hash:
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
MD5 hash:
0cb4a24adf5a4c9a27f152b3434f2733
SHA1 hash:
68b1c17f382e51c661187086886dcd6f7ceba50f
Link:
https://www.unpac.me/results/8a2f9cdf-1183-435d-97f7-4dc328ff5392/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c3de47dade4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/391115/

Comments