MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7480d003f1a50d543001fcddfd85cb6964749187b2777bd6b1df58eb010f1c4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7480d003f1a50d543001fcddfd85cb6964749187b2777bd6b1df58eb010f1c4b
SHA3-384 hash: d63c613eeca3e644a13c82d63f89ffa09e5f90c6e2331afb7b20bdf2ddc94e2002210aad5f377ab51865fea922157697
SHA1 hash: 15d625457c04620f07919c1bc0041d59d252e049
MD5 hash: e3cde599987cc9a8ff7f7d286175f9d3
humanhash: colorado-skylark-jupiter-mars
File name:DHL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'555'456 bytes
First seen:2022-05-09 14:09:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:eC6kMxtlE+bQ8AsssvVOzlFKYdQtMDKxJNvl8kbbypqnv:etrAME66kbIqn
Threatray 455 similar samples on MalwareBazaar
TLSH T13975394E670E8967CC40C6B9EDB62BA33767E7BE58835307A395373AC42B3BD1500616
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL.exe
Verdict:
No threats detected
Analysis date:
2022-05-09 19:07:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/58e77a81-f339-45bc-b345-7ef20a55b72d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.24184.7zHeur.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/627920fabe0219041a887244/reports/b7932c32-1d62-4272-8c59-d1343666475f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f5c18ef-7a86-4587-9940-3832d3970727
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/990235
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 622738 Sample: DHL.exe Startdate: 09/05/2022 Architecture: WINDOWS Score: 80 20 Malicious sample detected (through community Yara rule) 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 3 other signatures 2->26 7 DHL.exe 1 2->7         started        process3 process4 9 WerFault.exe 23 9 7->9         started        12 cmd.exe 1 7->12         started        file5 18 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 9->18 dropped 14 conhost.exe 12->14         started        16 timeout.exe 1 12->16         started        process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7480d003f1a50d543001fcddfd85cb6964749187b2777bd6b1df58eb010f1c4b/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-05-09 00:42:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=osanaa7ruugvimab7to73bolnfshjemhwj3xxvvr35mowaipdrfq._file
Verdict:
malicious
Similar samples:
16ab238a5b8fc0de74ddda698db8182e8193e65f7003124a0f954313cf86e048
Formbook
2a6a175d59e4c5c69eb490f20296a26ea53d59eb6580b3b34dfa1d2c4f717e76
Formbook
47a1b7e633dbfe5227f021deb30d806d9546e17044bef8dd54fb2cc21096a471
Formbook
48b87eb4ae33650b8eae8e4c3927d6e3e2b5e6f4e4fa7afd6b829992a395ca79
Formbook
9c14d6ca77383fa5a3724feab17b217b900295abf77311a8c88f39ff7bb02f01
Formbook
d3be2ee3efb4181dfeeb50d0a3aec292733ab22c39ee474dfd7f3f18780f1224
Formbook
+ 445 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:64pf loader rat
Link:
https://tria.ge/reports/220509-rgprzsgdap/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Xloader Payload
Xloader
Unpacked files
SH256 hash:
e50fa5790f792690ccdbe6b6c1caabdf827b246e5e48523734615d38b6be270f
MD5 hash:
91efdefa4ef6761d65245045fea6f8de
SHA1 hash:
e493dddd48946c00f85329246475bbfb330fe4b0
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/25a92058-8042-4c73-b608-693ba2bc5e2d/
SH256 hash:
f9c31f296a58e1ab60bc1c2ed533093178e70f355cad7a26e86e4bb0e699a9ff
MD5 hash:
4479fc6e665a64207f842facaf554096
SHA1 hash:
0ae6b9083ad270141b15a001062eac28569960fd
Link:
https://www.unpac.me/results/25a92058-8042-4c73-b608-693ba2bc5e2d/
SH256 hash:
7480d003f1a50d543001fcddfd85cb6964749187b2777bd6b1df58eb010f1c4b
MD5 hash:
e3cde599987cc9a8ff7f7d286175f9d3
SHA1 hash:
15d625457c04620f07919c1bc0041d59d252e049
Link:
https://www.unpac.me/results/25a92058-8042-4c73-b608-693ba2bc5e2d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/7480d003f1a50d543001fcddfd85cb6964749187b2777bd6b1df58eb010f1c4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7480d003f1a50d543001fcddfd85cb6964749187b2777bd6b1df58eb010f1c4b

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments