MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c414ec076a803e04e7c01d98c79516967eec77dc8cca0ddbe236cea79ddcff8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c414ec076a803e04e7c01d98c79516967eec77dc8cca0ddbe236cea79ddcff8
SHA3-384 hash: 410e5286af9a84619996be1819dcdb1cdbe640e3463b4e5df0813ea6986d2934d6a41a97646805b3f721681c5baeca9b
SHA1 hash: a08c43c0ae260a6330bcb9e67999cf547a154559
MD5 hash: 523e628a14d393500f14f9fd02111179
humanhash: low-coffee-florida-mexico
File name:DHL Express.04017.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:935'936 bytes
First seen:2021-01-28 15:51:40 UTC
Last seen:2021-02-16 08:52:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:UgKy4MTt1HSqcRGZ6ieCqroI72Y0ARLUqkjian/HvNhswA:X1HtsieRR72Y0ARLh0ia/PNh
Threatray 3'658 similar samples on MalwareBazaar
TLSH 0D15DE21E6049B45E4394F39403A8CE00FFBED21C3EED516BDEEB6EB36F1A519159602
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
8
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Express.04017.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-28 15:53:45 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/4dd2135b-7415-4a92-a16d-acb351770424

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114254/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36260005.29961.19698.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Creating a window
Sending a UDP request
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/593066
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 345577 Sample: DHL Express.04017.pdf.exe Startdate: 28/01/2021 Architecture: WINDOWS Score: 100 35 www.narenacademy.com 2->35 37 narenacademy.com 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 9 other signatures 2->51 11 DHL Express.04017.pdf.exe 3 2->11         started        signatures3 process4 file5 33 C:\Users\...\DHL Express.04017.pdf.exe.log, ASCII 11->33 dropped 61 Injects a PE file into a foreign processes 11->61 15 DHL Express.04017.pdf.exe 11->15         started        18 DHL Express.04017.pdf.exe 11->18         started        20 DHL Express.04017.pdf.exe 11->20         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 22 explorer.exe 15->22 injected process9 dnsIp10 39 lucidpair.com 34.102.136.180, 49744, 49745, 49748 GOOGLEUS United States 22->39 41 www.thefallofthedollar.com 22->41 43 8 other IPs or domains 22->43 53 System process connects to network (likely due to code injection or exploit) 22->53 26 systray.exe 22->26         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 26->55 57 Maps a DLL or memory area into another process 26->57 59 Tries to detect virtualization through RDTSC time measurements 26->59 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8c414ec076a803e04e7c01d98c79516967eec77dc8cca0ddbe236cea79ddcff8/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-01-28 14:12:15 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrau5qdwvab6att4ahmyy6krnft65r35zdgkbxn6enwou6o5z74a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1285da1bcd0075a10d2e8f1d3811ceebacef662558186c6550ccc29c53e699b3
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
6a7659b4614c990d4feba15eeef035d47dcb8f46d92320620205eb6131eaf6a4
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
8aecd1adbf0fe3c5e9e40c19893c1ca3464ed8e0502bfdb4acb871b95009f956
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
9e15ebbf48baef0f33c9ceb2e69566ec71d77271270a65dc5a7cf19a450f1a62
Formbook
adc10139a3870919bf60c4345f1e9d09eec3c590a434e761c55ff3da112e9a68
Formbook
bfa63841a36301ed60a4a0c177ad229a1b09266034182b7c8695fa5d7324f0b4
Formbook
e34426ec0d12a3acde221f2a5e5476528e028c1fc980a7c2d35dcfdde9caccab
Formbook
+ 3'648 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210128-c8py4tanhx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.thefallofthedollar.com/ocq1/
Unpacked files
SH256 hash:
f0ffe46d8dfc0eac78ae135d9c950bc9da0bb73b1c5cb148f6e1def46717c03e
MD5 hash:
a337c683f04ec0e3ff642b8441fc2b72
SHA1 hash:
294e07f4ad57a5e47bcde68e30b70bfb80f94571
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4880c13-8fc9-4919-b48a-dd20a92bc247/
SH256 hash:
bd03f1419db658015507630078378ed7b24ed480166fb9855308e78cd249fb44
MD5 hash:
06ba0381250a64535e2ff8dcf4f37907
SHA1 hash:
bb9f2a2c1d8bdabeefcb7b1f0333a47ae144571c
Link:
https://www.unpac.me/results/b4880c13-8fc9-4919-b48a-dd20a92bc247/
SH256 hash:
d4927acd9ca872faf4073b7cb482f41a02abe7a0d5fb323484d56b449bc7a6f8
MD5 hash:
cea939ec7297ec8dd320d8564d51648f
SHA1 hash:
bb1cd8ac9a6813113f27c28c7065a53016084757
Link:
https://www.unpac.me/results/b4880c13-8fc9-4919-b48a-dd20a92bc247/
SH256 hash:
8c414ec076a803e04e7c01d98c79516967eec77dc8cca0ddbe236cea79ddcff8
MD5 hash:
523e628a14d393500f14f9fd02111179
SHA1 hash:
a08c43c0ae260a6330bcb9e67999cf547a154559
Link:
https://www.unpac.me/results/b4880c13-8fc9-4919-b48a-dd20a92bc247/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/8c414ec076a803e04e7c01d98c79516967eec77dc8cca0ddbe236cea79ddcff8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

ace ad03150af3ff60903e8e40a88c62912ebb632de325039d67e73e937449ad6f6b

Formbook

Executable exe 8c414ec076a803e04e7c01d98c79516967eec77dc8cca0ddbe236cea79ddcff8

(this sample)

  
Dropped by
MD5 8d3ded8c285d9d95dc143106f96cbf06
  
Dropped by
SHA256 ad03150af3ff60903e8e40a88c62912ebb632de325039d67e73e937449ad6f6b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/114254/

Comments