MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88133a48392aad7e165f4865ea94c81fab70ecc280c2474a0a8da47036bd1135. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88133a48392aad7e165f4865ea94c81fab70ecc280c2474a0a8da47036bd1135
SHA3-384 hash: fdbd7085267af805d29ac6c41d8c0995eda8e01db82f4e4cb828aeece8431d40617cc503ffeebe66ee71a94d7dc102d6
SHA1 hash: 4976b84ca802c148b03807f61728c057c6531cca
MD5 hash: 755fb8021aa591392bf35a077cc1cc1c
humanhash: cold-sodium-robert-yankee
File name:DHL-Quittung _6368638172, pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:634'880 bytes
First seen:2022-05-16 12:22:24 UTC
Last seen:2022-05-16 12:51:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:jt0i2GaHaGYmwXsdgFyl5Leens34TtjclCV3Li09zDT:aGPGYmwX1ALeens34Txn3
Threatray 15'853 similar samples on MalwareBazaar
TLSH T1A6D4811C7B054E72FE1F857058110B34BBA2BF637680AA97678B35DB87AF1672D05C88
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f9c9c9c8dcc1ce0c (13 x AgentTesla, 3 x Formbook, 2 x Loki)
Reporter abuse_ch
Tags:DEU DHL exe FormBook geo

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL-Quittung _6368638172, pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-05-16 12:25:16 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/fb988ebb-8c08-4067-95cd-07515f1d91a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/271116/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Unauthorized injection to a recently created process
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd.exe obfuscated packed
Link:
https://www.filescan.io/uploads/6282423b22b733139c209a6a/reports/e03ea0a0-66b7-487c-aeeb-fa12a1fd705f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48879b4b-f027-4466-a343-c7530a8b0494
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994899
Signature
Antivirus detection for URL or domain
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 627395 Sample: DHL-Quittung _6368638172, pdf.exe Startdate: 16/05/2022 Architecture: WINDOWS Score: 100 66 www.dzgy6699.com 2->66 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for URL or domain 2->90 92 7 other signatures 2->92 10 DHL-Quittung _6368638172, pdf.exe 2 2->10         started        14 Scan.exe 1 2->14         started        16 Scan.exe 2->16         started        signatures3 process4 file5 60 C:\...\DHL-Quittung _6368638172, pdf.exe.log, ASCII 10->60 dropped 94 Injects a PE file into a foreign processes 10->94 18 DHL-Quittung _6368638172, pdf.exe 10->18         started        21 cmd.exe 3 10->21         started        24 cmd.exe 1 10->24         started        62 C:\Users\user\AppData\Local\...\Scan.exe.log, ASCII 14->62 dropped 96 Multi AV Scanner detection for dropped file 14->96 98 Machine Learning detection for dropped file 14->98 26 Scan.exe 14->26         started        28 cmd.exe 1 14->28         started        30 cmd.exe 1 14->30         started        signatures6 process7 file8 76 Modifies the context of a thread in another process (thread injection) 18->76 78 Maps a DLL or memory area into another process 18->78 80 Sample uses process hollowing technique 18->80 82 Queues an APC in another process (thread injection) 18->82 32 help.exe 18->32         started        35 explorer.exe 18->35 injected 56 C:\Users\user\AppData\Roaming\Scan\Scan.exe, PE32 21->56 dropped 58 C:\Users\user\...\Scan.exe:Zone.Identifier, ASCII 21->58 dropped 37 conhost.exe 21->37         started        84 Uses schtasks.exe or at.exe to add and modify task schedules 24->84 39 conhost.exe 24->39         started        41 schtasks.exe 1 24->41         started        43 WerFault.exe 3 10 26->43         started        46 conhost.exe 28->46         started        48 schtasks.exe 1 28->48         started        50 conhost.exe 30->50         started        signatures9 process10 file11 68 Self deletion via cmd delete 32->68 70 Modifies the context of a thread in another process (thread injection) 32->70 72 Maps a DLL or memory area into another process 32->72 74 Tries to detect virtualization through RDTSC time measurements 32->74 52 cmd.exe 1 32->52         started        64 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 43->64 dropped signatures12 process13 process14 54 conhost.exe 52->54         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/88133a48392aad7e165f4865ea94c81fab70ecc280c2474a0a8da47036bd1135/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 06:09:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
108
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rajtusbzfkwx4fs7jbs6vfgid6vxb3gcqdbeosqkrwshanv5ce2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2bdaf416c6fa9ade8a8d0195da13ffb9194da117496f120368a31eefefa0d73e
Formbook
31fcd3d5d4db88d5742905ad8c2717d6c107b246ff4423745c3bbaf8f66e1a7a
Formbook
53685ac5f275b61fc580f2203e7d7e431d2b03b8e4320015b428745d68d5e333
Formbook
5f8d69976e4d3c9b6508cd376dcab4971a605d8d1122952ad604f7b48d2ef1e1
Formbook
787179b3dd4ded4008927e4033331b00b60762872da94de5db3e6bf4a3b6e143
Formbook
aef61e04be1ed29f19e1ad3f861c132466c578b12c462a00ad6f517024c139ae
Formbook
af985554eebc4990f77fc7c337d7af4367c2e28acbb41386669e5fa3bb55fbcd
Formbook
c68894e6a7551cdf34c082a0ba372f9544d07aee0f2d09dfb7fed3e664e91aaf
Formbook
eaa4e2adb72f1527d81303db909e73c696bfe29e3ed0d91cb4ff35f47e4abfb1
Formbook
+ 15'843 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:hd93 loader rat suricata
Link:
https://tria.ge/reports/220516-pkgvfadhbq/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
62ad8ebef68c09f35defbc804c7a625b5a5604fe6d19096ed2592683bb0423e4
MD5 hash:
c45067c7e1894e413cf98ce09ff126f4
SHA1 hash:
c5ecfe3459856fdad9536cfe9d061f2ede72ec49
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/97510b3e-77dc-416d-ba6d-40d83e87b66f/
Parent samples :
88133a48392aad7e165f4865ea94c81fab70ecc280c2474a0a8da47036bd1135
ba3eb6491a8a4953418407379da280e591d403f2ada5f3ac941bcfaab1951418
f972d2b79416a3e89b55442cdb1543ab8bc2186564fde9759a7b57a941ee4ebd
SH256 hash:
88133a48392aad7e165f4865ea94c81fab70ecc280c2474a0a8da47036bd1135
MD5 hash:
755fb8021aa591392bf35a077cc1cc1c
SHA1 hash:
4976b84ca802c148b03807f61728c057c6531cca
Link:
https://www.unpac.me/results/97510b3e-77dc-416d-ba6d-40d83e87b66f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88133a48392aad7e165f4865ea94c81fab70ecc280c2474a0a8da47036bd1135

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Babel
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Babel
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_Goliath
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Goliath
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/271116/

Comments