MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 879ff48aeaeee7c94d11e1988c282be172b994b2ad436f966937ffe6e3258275. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 879ff48aeaeee7c94d11e1988c282be172b994b2ad436f966937ffe6e3258275
SHA3-384 hash: 6d9cd684345eb3a8235195edcd561824a6361d7a67fefb95ca126f27aa2ce50459365d44f091c6e47948bb9bd3afa393
SHA1 hash: fd69e37b828320ed886de737b1e3c2b753b012cc
MD5 hash: e5f92dbaa09c06aebc71801534faa026
humanhash: four-football-wyoming-lamp
File name:DHL PARCEL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:471'552 bytes
First seen:2022-05-19 11:20:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:DZKHB4fuqlaqMfD7w/79khCD1gPjxJBS9/Gq+rB3lDMoRimJzb0SWY5gmsgwETQZ:dKH22qla5w/yXbxrSeRGH65g1ET/nMm
Threatray 13'676 similar samples on MalwareBazaar
TLSH T180A4F1196F8B4288C8A82B3789F79754FB516F61407BD72BADC33A5D99077D22EC02C4
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL PARCEL.exe
Verdict:
Suspicious activity
Analysis date:
2022-05-19 02:16:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0623e1b3-28bc-454e-8968-2d8d68343582

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272493/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/6286286a3baea5a8c042f3a8/reports/0970dac0-0ad1-4397-8242-0279428a4b3c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2411f092-aaf8-4681-9b9d-00bb6ab69f9a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/997613
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/879ff48aeaeee7c94d11e1988c282be172b994b2ad436f966937ffe6e3258275/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 11:03:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6p7jcxk53t4stir4gmiykbl4fzltffsvvbw7ftjg776nyzfqj2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
203bfe6c0c5879e5951719fa76fdd9de0343e2652b58141660651d84790310ed
Formbook
38444024682d6ea391135d374ecd6f457bb01df512801e25fcbd2931afe58d92
Formbook
3b10fd5bae448476e22cca9c4b9b12263c089af68ebfeb7159ddaf2f4ec3e7bc
Formbook
54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d
Formbook
92757225e0960360fecddb2347f8c20601ff12479207486d4a5b46a1322dbb12
Formbook
c6eb55e95d67cd97e33c9db999877616465567fbab73a4ab2face292bb6df2f0
Formbook
cee2290e27d378faacd5a9ab5fc579e912c1ecee9db29e4e79d8b9cd7ee10c94
Formbook
de169c8e113efa4b4899ce2031442d81b243354cab40e8175dbefa7166c371d1
Formbook
+ 13'666 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:64pf loader rat
Link:
https://tria.ge/reports/220519-nfzzsaefa9/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Xloader Payload
Xloader
Unpacked files
SH256 hash:
7be996a0d29a59552e222a59344f4b6f67f75ec85a91746f4e91aa2546786b79
MD5 hash:
f7a084c08193293cdf9ffc26e9469b2c
SHA1 hash:
1c57bb4fa8331e6d6c76253947fc7ed3265cf668
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c2065ace-49cf-4dcd-959b-e654b99a9089/
Parent samples :
0285ce41301dcc6dfcf076c3a5897010a2c3c52f24016c2464a52d9124d5467b
879ff48aeaeee7c94d11e1988c282be172b994b2ad436f966937ffe6e3258275
SH256 hash:
26b581f2b91cc446a10656b2a40bc449e7748499aa06a8d1bdecbcd5ba360f68
MD5 hash:
7a776c51c659eaa81e21a2326be6c3d6
SHA1 hash:
fc056c2025ccb73d1459b5330babdd31f496e8fd
Link:
https://www.unpac.me/results/c2065ace-49cf-4dcd-959b-e654b99a9089/
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/c2065ace-49cf-4dcd-959b-e654b99a9089/
SH256 hash:
879ff48aeaeee7c94d11e1988c282be172b994b2ad436f966937ffe6e3258275
MD5 hash:
e5f92dbaa09c06aebc71801534faa026
SHA1 hash:
fd69e37b828320ed886de737b1e3c2b753b012cc
Link:
https://www.unpac.me/results/c2065ace-49cf-4dcd-959b-e654b99a9089/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/879ff48aeaee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/879ff48aeaeee7c94d11e1988c282be172b994b2ad436f966937ffe6e3258275

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Reverse_DOS_header
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects an reversed DOS header
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 879ff48aeaeee7c94d11e1988c282be172b994b2ad436f966937ffe6e3258275

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/272493/

Comments