MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b188a690c055feae9b9f736372162b5e53136322b2fef95bba8c99d4e9e6928. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b188a690c055feae9b9f736372162b5e53136322b2fef95bba8c99d4e9e6928
SHA3-384 hash: 9bc77e244b588294c52b8cade1734467d22ee300f9a490cc8fc2dbc935064bd8ba53af8abdfff4d5fe9f522203c5d5c5
SHA1 hash: ced666c07c25219fcb90ccc3559af8d8e54206fa
MD5 hash: 7a339265a0a4ded97d20128e7a7f0d22
humanhash: social-friend-pennsylvania-summer
File name:DHL_AWB#6078538091.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:739'328 bytes
First seen:2024-06-17 15:04:11 UTC
Last seen:2024-06-17 15:33:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:S2iNvFIsPA7q1g7j7gHOVPzhKDgqxNngTbEPpNfU3VWSCBHP+C:S1DIKh1k69NngTbEPpN8uZPR
Threatray 428 similar samples on MalwareBazaar
TLSH T19FF4124537E80B76C2BB8BBD5A60A06243756B0376F3E35C9DC664EE0C72B650212F5B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
327
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8b188a690c055feae9b9f736372162b5e53136322b2fef95bba8c99d4e9e6928.exe
Verdict:
Malicious activity
Analysis date:
2024-06-17 15:14:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0586e628-a3f6-48cb-b675-635408c8a6d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667052650f8138dd4eaba0dewin7simulatehigh_evasion
Tags:
Generic Static Nekark
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/667050a249a1c830626754af/reports/51d9ee96-4d12-49c0-abb0-3c65f90e6190/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8b188a690c055feae9b9f736372162b5e53136322b2fef95bba8c99d4e9e6928
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8455a02-aa82-4eee-9fca-924d4cb65395
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1458438
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1458438 Sample: DHL_AWB#6078538091.exe Startdate: 17/06/2024 Architecture: WINDOWS Score: 100 33 www.heolty.xyz 2->33 35 www.quickstart.design 2->35 37 8 other IPs or domains 2->37 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 53 7 other signatures 2->53 10 DHL_AWB#6078538091.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 33->51 process4 file5 31 C:\Users\user\...\DHL_AWB#6078538091.exe.log, ASCII 10->31 dropped 67 Injects a PE file into a foreign processes 10->67 14 DHL_AWB#6078538091.exe 10->14         started        17 DHL_AWB#6078538091.exe 10->17         started        signatures6 process7 signatures8 69 Maps a DLL or memory area into another process 14->69 19 QknWGIyOSNIQhPX.exe 14->19 injected process9 signatures10 55 Found direct / indirect Syscall (likely to bypass EDR) 19->55 22 credwiz.exe 13 19->22         started        process11 signatures12 57 Tries to steal Mail credentials (via file / registry access) 22->57 59 Tries to harvest and steal browser information (history, passwords, etc) 22->59 61 Modifies the context of a thread in another process (thread injection) 22->61 63 3 other signatures 22->63 25 QknWGIyOSNIQhPX.exe 22->25 injected 29 firefox.exe 22->29         started        process13 dnsIp14 39 www.quickstart.design 46.28.106.211, 61297, 61298, 61299 WEDOSCZ Czech Republic 25->39 41 parkingpage.namecheap.com 91.195.240.19, 61301, 61302, 61303 SEDO-ASDE Germany 25->41 43 4 other IPs or domains 25->43 65 Found direct / indirect Syscall (likely to bypass EDR) 25->65 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8b188a690c055feae9b9f736372162b5e53136322b2fef95bba8c99d4e9e6928
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b188a690c055feae9b9f736372162b5e53136322b2fef95bba8c99d4e9e6928/
Threat name:
ByteCode-MSIL.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2024-06-17 09:07:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rmmiu2imavp6v2nz643doilcwxstcnrsfmx67fn3vdez2tu6neua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2bccfa58d85d040fb05abd1c50ecd107c56c0ac20f84576d7a57b9074e471be5
Formbook
3130e85a4fa0df65c8ab6a310c3ea1cb2c91e4cc2cc55f77c1dfa1e606037438
Formbook
6945513b267f5df1d7eeb48c8d95c6ff83b5f97d105bfd11b666734bf4c3f6b8
Formbook
c040726eab61fc794f91f7d7712de11b4955c76db950e3b85ef57d413b15eb87
Formbook
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Formbook
d806f682d459f166ee4cb6a5a82a2c38e70cbdec81358749315e60f97550778a
Formbook
e3dc38ad4bb6f9e5109ff01bb417fef1e9ba7e3f269d3528ae19fc868809c123
Formbook
e8eac417d6b3650b3922e621cbff64aeca0848583d0ffbb8dce64f6bd331587b
Formbook
fb5431795717f39dfc9c2426af31582b6987a85f66ba3f50cba6fe865589bfd6
Formbook
+ 418 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240617-sf6vjsvcma/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
bd5059cd9a94a65d91e735dd0f970c108db925e7fcd68d80087dd0db5d55e714
MD5 hash:
27bef8220ab4ee8c4ba33b5b35f74628
SHA1 hash:
b6df2657c2cdb3a2fa9e227f7be055b24a66b49c
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0f35d848-9078-4aa0-831a-b661bd0e5397/
Parent samples :
8b188a690c055feae9b9f736372162b5e53136322b2fef95bba8c99d4e9e6928
7ddcda1e8561e9d96107c717c5cf5ef9a2f3ff3f5f4c1b188b92b010fc779aa2
ec8593824d221cfed6b537906fcf5d1604f31b8e5d876e796f489d41e037ae50
SH256 hash:
636380fa5fceef572805f47a966280b893aedb61a89eea3112b1fc19a903b5f9
MD5 hash:
2a2dc8451fd3983264c0f9816bd7abba
SHA1 hash:
3b1d4a8658429b967180845cc0e88d55084c8f7e
Link:
https://www.unpac.me/results/0f35d848-9078-4aa0-831a-b661bd0e5397/
SH256 hash:
fe1504a5536f8f95bbdb7e5ce2f06e610c07497b37cc25d3e56c0299a4812845
MD5 hash:
08f8c880b379a294c5b82885a8a5103b
SHA1 hash:
f7e48aed3c3e88987b7886fb983981989aa69fc3
Link:
https://www.unpac.me/results/0f35d848-9078-4aa0-831a-b661bd0e5397/
SH256 hash:
c4b12039bfed4c8bbb9d1376004da60480e49a379a84c9e60565bbd5caef07b2
MD5 hash:
144f7fcaaa3b81b0a3706203a7f1add8
SHA1 hash:
4bc14913fd448b4a2664e1e9ba664a1c6e9a9194
Link:
https://www.unpac.me/results/0f35d848-9078-4aa0-831a-b661bd0e5397/
SH256 hash:
ecf1257cb2839319c722daf5323ba2ed7060368b46f84610b6b6823323297826
MD5 hash:
cba51dcdec84ac14ce1eaf2ede86f28b
SHA1 hash:
2e77e64525600817d96b4d9c497135c989e608ee
Link:
https://www.unpac.me/results/0f35d848-9078-4aa0-831a-b661bd0e5397/
SH256 hash:
169076d4a9380f67ec034a4bf33c2812d3c9fd83fd7031437c4fbc2eeaa5438e
MD5 hash:
c5f49d7299eff6c42fd4c9eff1c6fbed
SHA1 hash:
eed142b6095b42799e4d789fc8898dd95ef6d82c
Link:
https://www.unpac.me/results/0f35d848-9078-4aa0-831a-b661bd0e5397/
SH256 hash:
d43ef9587bc7ecf4f6d596640b49fa58cd359d306822f59a20d52d0ce60eb551
MD5 hash:
d031c345c629afdef1c7b8c20669c57f
SHA1 hash:
dc182a087fcd4691084d5018a559f47977c0d414
Link:
https://www.unpac.me/results/0f35d848-9078-4aa0-831a-b661bd0e5397/
SH256 hash:
dc0253082e94d4bdc5864ee2a604e124285aa5638380f05f207d13717e90abc1
MD5 hash:
7f479b7dae914677a9500c4681d640b0
SHA1 hash:
85426637597365e4123bb197b1f0277b3a598cf3
Link:
https://www.unpac.me/results/0f35d848-9078-4aa0-831a-b661bd0e5397/
SH256 hash:
299e9b884147913d386b13b30898fe1c44b73fc2d6a63bc0e56317309d6b44ee
MD5 hash:
eff9b3e5372b107a9b90f2b129f3bef8
SHA1 hash:
7be24b925b39951474d1b7871f90b36215b53955
Link:
https://www.unpac.me/results/0f35d848-9078-4aa0-831a-b661bd0e5397/
SH256 hash:
3ca780382b8d527cc800fb87f0955671c26982fff01b33202e7141bc08f7460e
MD5 hash:
413fa8dfb9e3741b4834a738fcca7cc0
SHA1 hash:
68501e5a9098cda49af85b208543da6431c322bd
Link:
https://www.unpac.me/results/0f35d848-9078-4aa0-831a-b661bd0e5397/
SH256 hash:
e34e314a8239c4739959184cd30eb41ce69cd16e3bc3901d91f0901b4689d112
MD5 hash:
13c6b303ac9db12beacea3f5a403701e
SHA1 hash:
65a221e7a1bbad36bab37be6b3bcec00fcf1b619
Link:
https://www.unpac.me/results/0f35d848-9078-4aa0-831a-b661bd0e5397/
SH256 hash:
8b188a690c055feae9b9f736372162b5e53136322b2fef95bba8c99d4e9e6928
MD5 hash:
7a339265a0a4ded97d20128e7a7f0d22
SHA1 hash:
ced666c07c25219fcb90ccc3559af8d8e54206fa
Link:
https://www.unpac.me/results/0f35d848-9078-4aa0-831a-b661bd0e5397/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b188a690c05/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b188a690c055feae9b9f736372162b5e53136322b2fef95bba8c99d4e9e6928

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments