MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72339a82b3bca6e89bd9b29a5e6214a4dab154275ca6ef0c06fee6ac1847df3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72339a82b3bca6e89bd9b29a5e6214a4dab154275ca6ef0c06fee6ac1847df3e
SHA3-384 hash: a24035a04af44141aefefba6c879cd1eaeb6f23982c6893a83c85948b38be3803816ac90113c5cf926e461279f185b1c
SHA1 hash: c7c9cedf3e09f95b7cb1f60a1d1839cf4b3dfeb0
MD5 hash: 19d659997c1e551ff64271996ac090c5
humanhash: blue-undress-alabama-aspen
File name:Shipping documents.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:457'216 bytes
First seen:2020-10-20 08:28:43 UTC
Last seen:2020-10-25 21:47:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:56+Tio0b2dwnsEa6EIIypa9A1GKZHNYPzodx5hM:56+TizbVhaZyQA1GUKzodx3
Threatray 2'542 similar samples on MalwareBazaar
TLSH F2A4014451A9AB33F2BE97F6305C551887F2408A7BA7FA580EE136EE15A1F804F18E53
Reporter abuse_ch
Tags:DHL exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail0.grandair.xyz
Sending IP: 143.110.228.46
From: DHL <no-reply@dhl.co>
Subject: Re:Re: D.H.L Parcel Notification
Attachment: Shipping documents.7z (contains "Shipping documents.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73341/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497295
Signature
Binary contains a suspicious time stamp
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 300828 Sample: Shipping documents.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 36 www.leqi166.com 2->36 38 www.hmm07.com 2->38 40 2 other IPs or domains 2->40 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 9 other signatures 2->50 11 Shipping documents.exe 3 2->11         started        signatures3 process4 file5 28 C:\Users\user\...\Shipping documents.exe.log, ASCII 11->28 dropped 14 Shipping documents.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 gwlawmagazine.com 173.233.70.169, 49754, 80 TURNKEY-INTERNETUS United States 17->30 32 sokukinjob.com 49.212.235.228, 49747, 80 SAKURA-CSAKURAInternetIncJP Japan 17->32 34 15 other IPs or domains 17->34 42 System process connects to network (likely due to code injection or exploit) 17->42 21 ipconfig.exe 17->21         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/72339a82b3bca6e89bd9b29a5e6214a4dab154275ca6ef0c06fee6ac1847df3e/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 03:25:37 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oizzvavtxstorg6zwknf4yquutnlcvbhlsto6dag73tkygch347a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
15d71d7a0b659fa5429a2e96d9185dad6aca0fe201dfa802b7fd0ef2b8211c76
Formbook
1b10d999126d02956f9d2fec22e0d83b560a5fa8fd873628a6df5650fefe48fd
Formbook
339505a9dc4fdae3e5a44a6d33230c75d181a8674bead358b8c9012156f4672d
Formbook
72696d78e02a5f32462855866fee3ddba93f53a0a1bb84c58c98e84d623f3abd
Formbook
878d3d77023a927c7dc6aaab23b90cd1203bcd1bacdeedf997692a4c60d24129
Formbook
89c0e9f07b4245f97dccad1b925e19ad1a436b61c5fce2f2f12bc05c0042dcbe
Formbook
92625b5d11e691107b8aa2e733c1be9fe3677b5a86f03e08f239bf6e0d450885
Formbook
a0c73c5e7d039898c297b3e6d1c48bc7c32eae93a24b731a0c21717925dba028
Formbook
c940837494435b53d54b6b4349031a14bf5db905a22b7601e34deb851b109715
Formbook
f2cb02b3c504a4db0b43f79aef0d63398d9b984ee84d07acd690a448b63b5636
Formbook
+ 2'532 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201020-rnkrm1q9wa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.leqi166.com/4psn/
Unpacked files
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/d308f5ad-b7fb-4911-84f2-6adb9fb1bc4b/
SH256 hash:
9ece0f7c9acb4a81512d80e1ca25f1356731e05f920e55d14f490339e49d60cc
MD5 hash:
5fdbfe411ee679f479708e23d9ae52f9
SHA1 hash:
50f3755a6e8e42419c059518cf3595ea217a7fd8
Link:
https://www.unpac.me/results/d308f5ad-b7fb-4911-84f2-6adb9fb1bc4b/
SH256 hash:
1dd6a152739479ce4fa562c5070fbb22e73688ac5bba113149d94e32e9006366
MD5 hash:
3903ec5d571981ba9c277550311852ad
SHA1 hash:
b291ab771c7bac078973aaffde8bfbb6c32ac5b5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d308f5ad-b7fb-4911-84f2-6adb9fb1bc4b/
Parent samples :
1b10d999126d02956f9d2fec22e0d83b560a5fa8fd873628a6df5650fefe48fd
72339a82b3bca6e89bd9b29a5e6214a4dab154275ca6ef0c06fee6ac1847df3e
f0663d68ada4b6037f092567cd91968cbadf27b2c994b100ed506235b11cf172
3e27409e26109793a8a424e232d605acf75360ac30027f5553f780b06ca0dffb
a69b4e5b81128406fd2d580b13e8efc633a1af50c80ab5ee6c0be8c4b241a28b
4251026babadcdbe35d2bd5ac89c51f3a1752df2c49ff6fdb352ba5c1b509245
SH256 hash:
72339a82b3bca6e89bd9b29a5e6214a4dab154275ca6ef0c06fee6ac1847df3e
MD5 hash:
19d659997c1e551ff64271996ac090c5
SHA1 hash:
c7c9cedf3e09f95b7cb1f60a1d1839cf4b3dfeb0
Link:
https://www.unpac.me/results/d308f5ad-b7fb-4911-84f2-6adb9fb1bc4b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72339a82b3bca6e89bd9b29a5e6214a4dab154275ca6ef0c06fee6ac1847df3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z 581b1aa4337bf5d4766d805b4f5ea863f38202563cc4b303e853fc6e6ea42b47

Formbook

Executable exe 72339a82b3bca6e89bd9b29a5e6214a4dab154275ca6ef0c06fee6ac1847df3e

(this sample)

  
Dropped by
MD5 f2f739775cb368ed655ac873c14e2d66
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73341/
  
Dropped by
SHA256 581b1aa4337bf5d4766d805b4f5ea863f38202563cc4b303e853fc6e6ea42b47

Comments