MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f953b35fe9f1aa984e06446bc6353ecf594c6dbe11e7b07be43bd6e0eb8ad9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	6f953b35fe9f1aa984e06446bc6353ecf594c6dbe11e7b07be43bd6e0eb8ad9a
SHA3-384 hash:	9ca0fe2b62cf1b285c5d7ee9639f89da2c4e50186276e1cd65f23d6375af1738b8621c35c75577e93799b287a10ddbb5
SHA1 hash:	f2b78198a3587b97548717c3a1db995817da1710
MD5 hash:	9a4cea4caaf5eb230c5b11e7da2a112f
humanhash:	chicken-chicken-zulu-pip
File name:	DHL RECEIPT.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	313'880 bytes
First seen:	2022-06-21 14:53:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:LvArm7CtUMT59qL/qOflDhfdW+FfUuABLYRwg:DWpNwbtLBUu5t
TLSH	T18964CF1B73DC4F41D9A86AB5C4DF552113E2AEC72F32D39A3F08679C1E423A39E80659
TrID	52.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 22.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.5% (.EXE) Win64 Executable (generic) (10523/12/4) 4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

220

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/282012/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.4028.25615.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/62b1dbd246804683cbbaf3c0/reports/58f5c276-c115-4c06-bb8b-4058ea12d94c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/399e262b-b90f-4054-9233-945958ebffb5

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/6f953b35fe9f1aa984e06446bc6353ecf594c6dbe11e7b07be43bd6e0eb8ad9a/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-06-21 09:05:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n6ktwnp6t4nktbhamrdlyy2t5t2zjrw34ephwb56io6w4dvyvwna._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader campaign:k0dn loader persistence rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220621-r9vtpsggh4/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System policy modification

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

Adds policy Run key to start application

Executes dropped EXE

Xloader Payload

Formbook

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Unpacked files

SH256 hash:

eb1bc8ce5d20bc63003be8e9bf7a01185040f631e988f2574346936542fb0b08

MD5 hash:

4fbadbe3906d6d029a770616e042a91b

SHA1 hash:

e28889864400b184a9e11c4e365899e2d9f0c7f2

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/dd9ef909-3569-41fb-81ad-2281512c2eb0/

Parent samples :

444785a229ad49a95ce3ac8e0b1e0485fb7dce76d521331397702cdfae648607
63a24a782f2d4f31f57886852f84eda1eea782ab040cebb37d9325c8da6f2b93
6f953b35fe9f1aa984e06446bc6353ecf594c6dbe11e7b07be43bd6e0eb8ad9a
0fcd6e9b28b7605ca9775462603f308e1a598528ff0674e297d66253619f42f4
1623f32f1937aa2290ac5c0cd3c132be192d4fad1782768bf1b705272e245ca5
abaea9c3b27ce7b16be954313ac278a2858afdec6e8baa408e6a6944e30ee4a0

SH256 hash:

4f2115a06815e63e5a6c2314b94b2c6e161dfce1d036620b885d6e64ce606739

MD5 hash:

66dfa7202daa835b4436853f52d301fa

SHA1 hash:

7fad7b50e8174057549ee8ea87ff55a03e30db9d

Link:

https://www.unpac.me/results/dd9ef909-3569-41fb-81ad-2281512c2eb0/

SH256 hash:

6f953b35fe9f1aa984e06446bc6353ecf594c6dbe11e7b07be43bd6e0eb8ad9a

MD5 hash:

9a4cea4caaf5eb230c5b11e7da2a112f

SHA1 hash:

f2b78198a3587b97548717c3a1db995817da1710

Link:

https://www.unpac.me/results/dd9ef909-3569-41fb-81ad-2281512c2eb0/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6f953b35fe9f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6f953b35fe9f1aa984e06446bc6353ecf594c6dbe11e7b07be43bd6e0eb8ad9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/282012/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample