MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fbc3e54a04aeadf268907b5041bdaf5af8980d76eafce3bc5d995c0fa779fd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fbc3e54a04aeadf268907b5041bdaf5af8980d76eafce3bc5d995c0fa779fd8
SHA3-384 hash: 416b4d83c2dfe4b0189ea6f27b767183eea8286c2e4b36a3e123480f0c8f86cccd3e8611c7396e18bcd90d50d8880051
SHA1 hash: f4752b9407c50396ca6ca1fef1a50827eb5cbc10
MD5 hash: bbcdacdde22b8bab6d71f543c36c9b2f
humanhash: iowa-crazy-finch-march
File name:Consignment Details&BL Draft.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:679'424 bytes
First seen:2021-01-18 09:42:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f85ebb67bac58f72de974a91d40889a (5 x Formbook, 3 x RemcosRAT, 2 x AgentTesla)
ssdeep 12288:i8WvAMYGY5RFNBeU7vgTOzTdCeNckakZR5zPRrs8d63J3/7oCG2B:i8W4T17vgKzbNKcddKJPZ
Threatray 3'499 similar samples on MalwareBazaar
TLSH D6E49D116840C039E1721D325AA9D6B2196EAC303F15798F6FD83E767F378C1A62963F
Reporter abuse_ch
Tags:DHL exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hj0.302.zrami.ml
Sending IP: 188.166.216.99
From: DHL Express <support@dhl.com>
Subject: Consignment Notification: You Have A Package With Us
Attachment: Consignment DetailsBL Draft.img (contains "Consignment Details&BL Draft.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Consignment Details&BL Draft.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 09:45:48 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/4d3f5abc-f903-43c7-b845-676e65aacbdc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112536/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/583655
Signature
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 340868 Sample: Consignment Details&BL Draft.exe Startdate: 18/01/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 5 other signatures 2->44 10 Consignment Details&BL Draft.exe 2->10         started        process3 signatures4 54 Maps a DLL or memory area into another process 10->54 13 Consignment Details&BL Draft.exe 10->13         started        process5 signatures6 56 Modifies the context of a thread in another process (thread injection) 13->56 58 Maps a DLL or memory area into another process 13->58 60 Sample uses process hollowing technique 13->60 62 Queues an APC in another process (thread injection) 13->62 16 explorer.exe 13->16 injected process7 dnsIp8 28 www.survivalrunfotografen.com 188.93.150.71, 49752, 80 SIGNET-ASSignetBVNL Netherlands 16->28 30 www.mwavpn.com 52.165.230.236, 49741, 49761, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->30 32 20 other IPs or domains 16->32 36 System process connects to network (likely due to code injection or exploit) 16->36 20 svchost.exe 12 16->20         started        signatures9 process10 dnsIp11 34 www.vh3g.asia 20->34 46 System process connects to network (likely due to code injection or exploit) 20->46 48 Modifies the context of a thread in another process (thread injection) 20->48 50 Maps a DLL or memory area into another process 20->50 52 Tries to detect virtualization through RDTSC time measurements 20->52 24 cmd.exe 1 20->24         started        signatures12 process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6fbc3e54a04aeadf268907b5041bdaf5af8980d76eafce3bc5d995c0fa779fd8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-18 09:43:06 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n66d4vfajlvn6juja62qig626wxytagxn2x44o6f3gk4b6txt7ma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
148007b32a311769a958c3f87c6c836b14457f17dbe6a9a0188b0f68b3c30b40
Formbook
38f3aadc65df16aed9f5bbaa5f42598d3fd9b29811429fcddd679a40b092fca0
Formbook
43240f1dfbde94a0fb438b295e6ddb3ef5aa5ef82f42222312f2eb49b91f9de8
Formbook
58b012a7c77564704af9bc88d272f1aa68c6789c84a146d0f566304c370bc89a
Formbook
ac23d4ba0e11c07488224b01abc734d353da88537ed55c945eec7a91a20216a4
Formbook
b4a9843d6c2869da17c9fb36d3aae7b869f3df444280943e07f3944f6408f086
Formbook
c15f6faab41ea44719d795995c15024db0719fa5c9a731110587ec4e1e041fc2
Formbook
c826a0b0506ddc4d93aba9f41ed795a88cca8bdb8c54f4af5d8dbdf9767e9ad3
Formbook
dca4c9a7846a3ebb066c08583388adeb4b05e464f20abd10409ccf47164d8635
Formbook
e49c51a6864bf50e27baca58c5a2420046cae1803c5e0338af152b50d0dcc215
Formbook
+ 3'489 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210118-4c1jczjgb2/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.mwavpn.com/9bwn/
Unpacked files
SH256 hash:
6fbc3e54a04aeadf268907b5041bdaf5af8980d76eafce3bc5d995c0fa779fd8
MD5 hash:
bbcdacdde22b8bab6d71f543c36c9b2f
SHA1 hash:
f4752b9407c50396ca6ca1fef1a50827eb5cbc10
Link:
https://www.unpac.me/results/2d595666-a50b-4ae3-88f8-a55b256c9868/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fbc3e54a04aeadf268907b5041bdaf5af8980d76eafce3bc5d995c0fa779fd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 7b83392a3f896768cb39393da374d9a1182664c8f5ebf076b366a693ed40dbd2

Formbook

Executable exe 6fbc3e54a04aeadf268907b5041bdaf5af8980d76eafce3bc5d995c0fa779fd8

(this sample)

  
Dropped by
MD5 2d780385421cbf1f18dfaa6716afcc3e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112536/
  
Dropped by
SHA256 7b83392a3f896768cb39393da374d9a1182664c8f5ebf076b366a693ed40dbd2

Comments