MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73ff2753b011fd1295ce8a2ca311a308bdc993e95258fe0b93ee353b08e58403. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	73ff2753b011fd1295ce8a2ca311a308bdc993e95258fe0b93ee353b08e58403
SHA3-384 hash:	8d1f4dc7c48785c31d5682137bdd9f03404b199e9be75cc46d42515b5ae417b908eedeaaeb867562842fd3cc252e6b98
SHA1 hash:	5cb9cf8e5aa90fb5aa4653e03dbc5badbdd53910
MD5 hash:	f4665cd125b04317de93e1bfc5992078
humanhash:	queen-two-washington-bluebird
File name:	DHL Shipment Receipt.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	858'624 bytes
First seen:	2023-07-31 07:18:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:jUkQev04XWofKeL4FkUvlcIJPVS5sPeRDtVO59jr86aD:jUlefXWCLSlcIgsujO/86a
Threatray	3'440 similar samples on MalwareBazaar
TLSH	T16F05B77804BB4E62C221D2BE7AC5E52FF6425CB6611C8D5B529A6F870D03D372C9EC2D
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL Shipment Receipt.exe

Verdict:

Malicious activity

Analysis date:

2023-07-31 07:22:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f039ac5d-adf6-4b97-96ba-b9912dd38e2a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/439337/

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.18782.1515.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64c760693d0bb8484a89b3aa/reports/895154f5-4bb3-4276-81b4-c8005b42f059/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/73ff2753b011fd1295ce8a2ca311a308bdc993e95258fe0b93ee353b08e58403

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/48e07f1f-6901-42e3-9762-214f65951184

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1283033

Signature

.NET source code contains very large strings

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/73ff2753b011fd1295ce8a2ca311a308bdc993e95258fe0b93ee353b08e58403/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-31 07:19:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=op7sou5qch6rffooriwkgendbc64te7jkjmp4c4t5y2twchfqqbq._file

Verdict:

malicious

Label(s):

formbook

Formbook

1257726baaeca6e8c000406ceaba2ec70fa53371d331f8e6b39bfff8bb0a3a02

Formbook

2f4e4ad21cf764b8c109f7dd4ac1e328fb144ad3fd91d692fe1f992f236ee540

Formbook

351e57f3d222d0e1fd7639e2853d6e0a25025987c4cbfd232d22728e83debc7f

Formbook

99bb71c925f112035797c13df8af4106c78c305aecea027583007145fce87de7

Formbook

9bc85e2d8b9379ab4b4a7a165602aa01a3251bd131a10d3cc67f494c3a46aced

Formbook

affc74db906a6b57d940a90471204922b9778426e1defb4be5b645308b1a3da5

Formbook

df37442819123ab5be93f8ef9e1172b14fcb66be11cc3e146d6e9fcf54e674e4

Formbook

eb9bb2864bcf714084d8b6c2d9dbcf55a30727c8e87d66eef592048dab10dead

Formbook

fe612af3d7883a25ca19eca8440e32741aa66e69c80a7275a13bdd91023399c6

Formbook

+ 3'430 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230731-h5htxaeb8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks computer location settings

Unpacked files

SH256 hash:

0a715e9748587e85691c13f847a8e1bfa219db51434caa70fa0ae89ee3e85ac5

MD5 hash:

f00c7ba26caad0623f198080c2e0acde

SHA1 hash:

34877efef97e197b106efda6131089696334145a

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/de86672b-1c2e-4389-ad99-0f61d3c9de13/

Parent samples :

4bc2162ae0ae133d359603b912865d8ed2f26029421a7dcfcf734f2aee216923
73ff2753b011fd1295ce8a2ca311a308bdc993e95258fe0b93ee353b08e58403
bdf513cd2e97cb60bc6497c6a6155aa36ab7a32636b3f7d87715f988cd68feab
0fa6047b89faa0096bac58ca8733687cd676b31cd75675654e4e0343ca8ae8c6
131c69adaff732d878e0396149be53da15e8e155daafe995259385c6c28f605b
74eb5168cf1f711833750d0e0f5a25a97cceda943944da21ecc8f1b697ab4e43
41b09d1202db4dfb8db58a5cd9f68953db7d7547fab1c76234b3dd95cfac318e
2d504d5142b27bb57b54d806c01d890fafcc5ba3e41a9a38094ae426c63fb362

SH256 hash:

70f1f71c4ef3234d5a68ec1c7b4455f07031fa44980021d42576798f8008d718

MD5 hash:

d8268f5fb982dc3e522ea4e800edfe56

SHA1 hash:

aa8d82f98d2f3a7df63e7f632a39dffcbefa10a2

Link:

https://www.unpac.me/results/de86672b-1c2e-4389-ad99-0f61d3c9de13/

SH256 hash:

53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77

MD5 hash:

37e82d3e2864e27b34f5fbacaea759c3

SHA1 hash:

a87024a466e052bff09a170bb8c6f374f6c84c32

Link:

https://www.unpac.me/results/de86672b-1c2e-4389-ad99-0f61d3c9de13/

SH256 hash:

4341e6b86484bf815a34cace1e0db806f627ba5856ae68ab88f77075bc8e319c

MD5 hash:

bc146899b7db71e0d8d7e82d70807099

SHA1 hash:

4c7b6d08e362395a75874b0fa9259a9081df23da

Link:

https://www.unpac.me/results/de86672b-1c2e-4389-ad99-0f61d3c9de13/

SH256 hash:

28f47f18ae8466673ee87ba144a9fe63ea2ed5ee3fad610ad938db1c98f00298

MD5 hash:

98ea686554a02bf4ae9dbf2ed087cd1c

SHA1 hash:

436d1042f56b40eff60df7bc136ffbe6a55e4f03

Link:

https://www.unpac.me/results/de86672b-1c2e-4389-ad99-0f61d3c9de13/

SH256 hash:

73ff2753b011fd1295ce8a2ca311a308bdc993e95258fe0b93ee353b08e58403

MD5 hash:

f4665cd125b04317de93e1bfc5992078

SHA1 hash:

5cb9cf8e5aa90fb5aa4653e03dbc5badbdd53910

Link:

https://www.unpac.me/results/de86672b-1c2e-4389-ad99-0f61d3c9de13/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/73ff2753b011/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 73ff2753b011fd1295ce8a2ca311a308bdc993e95258fe0b93ee353b08e58403

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/439337/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample