MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84c2a2d742fbccab3644af070d779ef71e8f377a6ab8d1a83127d2605622f105. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84c2a2d742fbccab3644af070d779ef71e8f377a6ab8d1a83127d2605622f105
SHA3-384 hash: 40ffe5f29896365f987d18fb8bee375998c1ccea6ee9eaeb2abb1c59872fa349f6c316fcc4537981f1623ec410000643
SHA1 hash: 25cfec6a2b4e9c1cc51fcf343bbef54fcef8c3b9
MD5 hash: 3223bedb21ba57b91733676031df958a
humanhash: victor-sixteen-lemon-ceiling
File name:DHL AWB Receipt_pdf.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:818'696 bytes
First seen:2025-03-03 07:43:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:73ilzaYduOSYZ0/IL1C3sqYxYDQZ3TnNFOZ8KjRT:73izaYYOSECIoNSYDMNAZFFT
Threatray 2'339 similar samples on MalwareBazaar
TLSH T13F051278AB9AD502CA5117310E35F6B8273C6EDAF811C22B5FED6DEFBC726411E04246
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 201070f269696810 (4 x SnakeKeylogger, 3 x Formbook, 2 x DarkCloud)
Reporter abuse_ch
Tags:bat DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
461
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL AWB Receipt_pdf.bat
Verdict:
Malicious activity
Analysis date:
2025-03-03 07:51:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ab99fb89-521e-427b-a709-dbf2f38a79d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.12131.15353.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c55ebbc668b65489be9ab6
Tags:
redline virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature masquerade obfuscated obfuscated packed packed packer_detected signed vbnet
Link:
https://www.filescan.io/uploads/67c55dd03c5f644bd93fcadf/reports/b598a317-4e5d-4a17-b311-91f67a7985e6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/84c2a2d742fbccab3644af070d779ef71e8f377a6ab8d1a83127d2605622f105
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17fbbadd-b8e8-4a17-b2e3-892209c0d7de
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1627806
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1627806 Sample: DHL AWB Receipt_pdf.bat.exe Startdate: 03/03/2025 Architecture: WINDOWS Score: 100 59 www.publicblockchain.xyz 2->59 61 www.031233435.xyz 2->61 63 13 other IPs or domains 2->63 75 Antivirus detection for URL or domain 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 Multi AV Scanner detection for submitted file 2->79 83 8 other signatures 2->83 10 DHL AWB Receipt_pdf.bat.exe 7 2->10         started        14 oSJLRdDbLeQ.exe 5 2->14         started        signatures3 81 Performs DNS queries to domains with low reputation 61->81 process4 file5 51 C:\Users\user\AppData\...\oSJLRdDbLeQ.exe, PE32 10->51 dropped 53 C:\Users\...\oSJLRdDbLeQ.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmpD3C2.tmp, XML 10->55 dropped 57 C:\Users\...\DHL AWB Receipt_pdf.bat.exe.log, ASCII 10->57 dropped 93 Writes to foreign memory regions 10->93 95 Adds a directory exclusion to Windows Defender 10->95 97 Injects a PE file into a foreign processes 10->97 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        27 3 other processes 10->27 99 Multi AV Scanner detection for dropped file 14->99 23 schtasks.exe 1 14->23         started        25 RegSvcs.exe 14->25         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 ctd5Fl0jEEYLVK.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 27->40         started        process9 signatures10 101 Found direct / indirect Syscall (likely to bypass EDR) 29->101 42 EhStorAuthn.exe 29->42         started        process11 signatures12 85 Tries to steal Mail credentials (via file / registry access) 42->85 87 Tries to harvest and steal browser information (history, passwords, etc) 42->87 89 Modifies the context of a thread in another process (thread injection) 42->89 91 3 other signatures 42->91 45 ctd5Fl0jEEYLVK.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 031233435.xyz 144.76.229.203, 50010, 50011, 50012 HETZNER-ASDE Germany 45->65 67 www.publicblockchain.xyz 13.248.169.48, 58476, 58477, 58478 AMAZON-02US United States 45->67 69 8 other IPs or domains 45->69 103 Found direct / indirect Syscall (likely to bypass EDR) 45->103 signatures15
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/84c2a2d742fbccab3644af070d779ef71e8f377a6ab8d1a83127d2605622f105
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84c2a2d742fbccab3644af070d779ef71e8f377a6ab8d1a83127d2605622f105/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2025-03-03 05:02:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtbkfv2c7pgkwnsev4dq254664pi6n32nk4ndkbre7jgavrc6ecq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
1154039c4b1ff69d88c44d77a02d6f24c904e311880edd17b7ca9f5e4e1b26f4
Formbook
50282203a7b1158cff82796b1fa5a7725abd91e2d85bd68ead4c2e1e910b46b2
Formbook
64a8f5c2209bf86e1aa4489fffa5cf93aee6955b0106909345a313de38ad7885
Formbook
84bb8bba33e1a515260b02421d72da6ad0d685d432c64c572a230337dca28c54
Formbook
b031957e53e25b871f23308e6d88e7750e86040094ad1a7d35612a2d5795c456
Formbook
error
Formbook
+ 2'329 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250303-jkxb8s11g1/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4200748d-26c3-4ef9-99a1-48010e645c9c
Unpacked files
SH256 hash:
84c2a2d742fbccab3644af070d779ef71e8f377a6ab8d1a83127d2605622f105
MD5 hash:
3223bedb21ba57b91733676031df958a
SHA1 hash:
25cfec6a2b4e9c1cc51fcf343bbef54fcef8c3b9
Link:
https://www.unpac.me/results/4efc671f-a69c-4f71-86da-314fd3c718e1/
SH256 hash:
a527e61bf236d68d029dbf4afb53120e8eeb407479d0397c2487aa79fe009fcd
MD5 hash:
0e83ef43074516ada9dfad241c6629f5
SHA1 hash:
8bc51ac6ee87aa9316ca7a5301ea076f124e699e
Link:
https://www.unpac.me/results/4efc671f-a69c-4f71-86da-314fd3c718e1/
SH256 hash:
daf4f1d48b812a6e017f0f9f45ead57ac066e403f4ac7c0dfecae43d7d7e9b6f
MD5 hash:
c44baa611dd19524e27351a2a57b1fc6
SHA1 hash:
96a412c2d9bca5807f356340c67c146055fbe781
Link:
https://www.unpac.me/results/4efc671f-a69c-4f71-86da-314fd3c718e1/
SH256 hash:
eef1c0d5b928da05a57d574c797ddb3419b583a3b15bf5b08e483cbe375ec262
MD5 hash:
caacdab8fce14bee18fdf4d9c99355c7
SHA1 hash:
b9726b7639fee0fe3857abc7290c4886973f4013
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4efc671f-a69c-4f71-86da-314fd3c718e1/
SH256 hash:
557224e32dfdb63fa8a6d4c1fd0ba95f52e91a0284c23c125ee0b3a45c3500fe
MD5 hash:
d9c54f2e324f2d296cb16219ea7f55b0
SHA1 hash:
549b6e8f57e1745e7023347c2725062688ae7b2a
Link:
https://www.unpac.me/results/4efc671f-a69c-4f71-86da-314fd3c718e1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/84c2a2d742fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84c2a2d742fbccab3644af070d779ef71e8f377a6ab8d1a83127d2605622f105

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments