MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a4424af54555e5a81f6fa4e2b2c42c6d19c71bbcc261cd1be14af245c3b711c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a4424af54555e5a81f6fa4e2b2c42c6d19c71bbcc261cd1be14af245c3b711c
SHA3-384 hash: 3cdb4b9163c063c50ffbc37876e92ab907d7cd829c49dc13c4b4800ba7ab898262504e9da0ee8390b5c05ee2e029e4e5
SHA1 hash: da867a8b837e43c91414ff46d239ab95b799d04b
MD5 hash: 5bc8492c9f262d1f9840635b87edf9c5
humanhash: pizza-equal-nuts-comet
File name:DHL Delivery Documents.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:48'640 bytes
First seen:2022-01-28 12:36:29 UTC
Last seen:2022-01-28 16:18:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:24jw5Zoo7adxM2GzRpAgka/8HHUTQQQQQQQBdy3bI91GN6bcE/2ihWSCAtkrjL1X:2Awzf3Rpga/eHUTQQQQQQQBdBgN6b5/S
Threatray 12'920 similar samples on MalwareBazaar
TLSH T12D234A42D2930267D55A5A73B49396C307B0A30D5CF74EABA8CC311E8E9F21A7653FC9
File icon (PE):PE icon
dhash icon 550959654d651945 (37 x Formbook, 28 x AgentTesla, 14 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Delivery Documents.exe
Verdict:
No threats detected
Analysis date:
2022-01-28 12:40:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2091f1bc-ca77-473f-8a82-31a4ac5d5250

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/225020/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38778921.6511.1376.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a file
Launching cmd.exe command interpreter
Searching for synchronization primitives
Reading critical registry keys
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/61f3e37320a5f4d327d9fa0a/reports/4f4307d4-9b4d-47d6-bdd6-46b555d389a0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/898dc6e1-3b14-492d-b802-82a8401e0b2d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/929642
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562120 Sample: DHL Delivery Documents.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 7 other signatures 2->37 10 DHL Delivery Documents.exe 14 3 2->10         started        process3 dnsIp4 29 transfer.sh 144.76.136.153, 443, 49751, 49752 HETZNER-ASDE Germany 10->29 27 C:\Users\...\DHL Delivery Documents.exe.log, ASCII 10->27 dropped 45 Writes to foreign memory regions 10->45 47 Allocates memory in foreign processes 10->47 49 Injects a PE file into a foreign processes 10->49 15 aspnet_compiler.exe 10->15         started        file5 signatures6 process7 signatures8 51 Modifies the context of a thread in another process (thread injection) 15->51 53 Maps a DLL or memory area into another process 15->53 55 Sample uses process hollowing technique 15->55 57 2 other signatures 15->57 18 explorer.exe 15->18 injected process9 process10 20 msdt.exe 18->20         started        signatures11 39 Modifies the context of a thread in another process (thread injection) 20->39 41 Maps a DLL or memory area into another process 20->41 43 Tries to detect virtualization through RDTSC time measurements 20->43 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a4424af54555e5a81f6fa4e2b2c42c6d19c71bbcc261cd1be14af245c3b711c/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-01-28 12:37:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
12
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjccjl2ukvpfvapw7jhcwlccy3izy4n3zqtbzun6csxsixb3oeoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07bed83b3f7c13154a148f82ceac3fe9f68a7995ed5a939e91427e611bfaa863
Formbook
194eecb866b404241cc14abfccf3ece512927dafff1e64248e1b1fb4e4acbd26
Formbook
3f277a6819833eb0c7feab4e952301b4bac883e38ec8bd266093b6757d1920e8
Formbook
75e51d5e7662ad2c7ee23822ebf5246ce2d3257734ef87883f57bbcffe13c5d2
Formbook
9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30
Formbook
a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a
Formbook
c7eeea84c68c73b96a2bc816b9738ca8c9c2abe93f7705ec07f8d1205422d86e
Formbook
d36d73e78b048c34b8ed4b2c1035f27c0c1857ae8eb5f1167942981139138b35
Formbook
d89ceaf1e34dd42cef063ecb6b8e219479f276c6cc30e2ab6ae8c881a8d60633
Formbook
f75fa96a8fe88dc2fffd64208705d26fb980db33afff6b872f34e1f9034e0363
Formbook
+ 12'910 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:zqzw loader rat suricata
Link:
https://tria.ge/reports/220128-ptgk2acean/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
7a4424af54555e5a81f6fa4e2b2c42c6d19c71bbcc261cd1be14af245c3b711c
MD5 hash:
5bc8492c9f262d1f9840635b87edf9c5
SHA1 hash:
da867a8b837e43c91414ff46d239ab95b799d04b
Link:
https://www.unpac.me/results/a614a272-b9ea-4aa6-968b-711a0276e9be/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7a4424af5455/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.73
Link:
https://yomi.yoroi.company/submissions/7a4424af54555e5a81f6fa4e2b2c42c6d19c71bbcc261cd1be14af245c3b711c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

34a8e89b0eea2ce8ec61a904ef465344f2f4ff16c4f7e8feecb93b0b984769e7

Formbook

Executable exe 7a4424af54555e5a81f6fa4e2b2c42c6d19c71bbcc261cd1be14af245c3b711c

(this sample)

  
Dropped by
MD5 5c69130ffabdd4c25b6f710f1dd99eae
  
Dropped by
SHA256 34a8e89b0eea2ce8ec61a904ef465344f2f4ff16c4f7e8feecb93b0b984769e7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/225020/

Comments