MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8de3d12f5661c36ae89e13085dc5d4c6db3000e434f960eb80adece4aaae8219. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8de3d12f5661c36ae89e13085dc5d4c6db3000e434f960eb80adece4aaae8219
SHA3-384 hash: 304eb34ccea139aab09be7151abc31c7f087bdfa185e313e4e7fb84ebaebec71055052c2b5b0d2ac275b553e7fb5a94a
SHA1 hash: 48eb397866bd4e5ff3d339e930cab4ada5bedf35
MD5 hash: 5d2330d1bd0cc29e82b9c65e52add8d6
humanhash: autumn-uniform-floor-robert
File name:DHL No_SINI0068206497.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'034'240 bytes
First seen:2020-11-12 12:32:20 UTC
Last seen:2024-07-24 18:50:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'450 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:THVQ4Vw/0mxXu9hjk0OTsk88O2jW1md4/wYKIsPVwFS9Wjy7AByGuFFTZlj8N:P81Chjk0ot88Kb/zsKyEAH
Threatray 2'922 similar samples on MalwareBazaar
TLSH C8257B21378C9FA9E128A27594551C01B3FEDF93BF23EA657C553888C4B1F90E62CE52
Reporter Anonymous
Tags:FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.4873.24195.646.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching cmd.exe command interpreter
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/532621
Signature
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315413 Sample: DHL No_SINI0068206497.exe Startdate: 12/11/2020 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 7 other signatures 2->53 10 DHL No_SINI0068206497.exe 3 2->10         started        process3 file4 37 C:\Users\...\DHL No_SINI0068206497.exe.log, ASCII 10->37 dropped 65 Injects a PE file into a foreign processes 10->65 14 DHL No_SINI0068206497.exe 10->14         started        signatures5 process6 signatures7 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Maps a DLL or memory area into another process 14->71 73 Sample uses process hollowing technique 14->73 75 Queues an APC in another process (thread injection) 14->75 17 explorer.exe 14->17 injected process8 dnsIp9 41 147theatre.com 34.102.136.180, 49779, 49780, 49781 GOOGLEUS United States 17->41 43 www.twitterq.com 156.224.219.55, 49763, 49767, 49768 COMING-ASABCDEGROUPCOMPANYLIMITEDHK Seychelles 17->43 45 2 other IPs or domains 17->45 55 System process connects to network (likely due to code injection or exploit) 17->55 21 chkdsk.exe 18 17->21         started        25 autofmt.exe 17->25         started        signatures10 process11 file12 33 C:\Users\user\AppData\...\J05logrv.ini, data 21->33 dropped 35 C:\Users\user\AppData\...\J05logri.ini, data 21->35 dropped 57 Detected FormBook malware 21->57 59 Tries to steal Mail credentials (via file access) 21->59 61 Tries to harvest and steal browser information (history, passwords, etc) 21->61 63 3 other signatures 21->63 27 cmd.exe 2 21->27         started        signatures13 process14 file15 39 C:\Users\user\AppData\Local\Temp\DB1, SQLite 27->39 dropped 67 Tries to harvest and steal browser information (history, passwords, etc) 27->67 31 conhost.exe 27->31         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8de3d12f5661c36ae89e13085dc5d4c6db3000e434f960eb80adece4aaae8219/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 09:43:23 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rxr5cl2wmhbwv2e6cmef3rouy3ntaahegt4wb24avxwojkvoqimq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143
FormBook
2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92
FormBook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
FormBook
6bb732e1c22295b2fa6970a286225d14bd7c6fabef714f9b20c3a622bb8e7645
FormBook
83b4f4fef30eb6e425229b53856cca35eca4a11ea3f5ef182a525444ba122661
FormBook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
FormBook
99cc56c49ea22eaf929c14180a5625096c6652ae122fb35d913ae774604965f0
FormBook
a244a77f990bdec5f4f81d605990749206b6e5827e4bc140b9b4b2fbfdb0bb12
FormBook
d325c45529e7211242f65cabe3549dd635a23fc43b48c2b2a64ccff8d54c1ee2
FormBook
fddea1265c29e98f5b679ff034f27124b688f03f2d4c72442ce5f358ddd3eff0
FormBook
+ 2'912 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201112-gw5ysytgqn/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.wholesalebrands.xyz/mkr/
Unpacked files
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/30a78e12-c061-438f-bb37-aab0511f607b/
SH256 hash:
8de3d12f5661c36ae89e13085dc5d4c6db3000e434f960eb80adece4aaae8219
MD5 hash:
5d2330d1bd0cc29e82b9c65e52add8d6
SHA1 hash:
48eb397866bd4e5ff3d339e930cab4ada5bedf35
Link:
https://www.unpac.me/results/30a78e12-c061-438f-bb37-aab0511f607b/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments