MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 920a16d2a8e3f31fefc9616d99547362eca7835af553858835166e54736bc91e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 8 File information Comments

SHA256 hash:	920a16d2a8e3f31fefc9616d99547362eca7835af553858835166e54736bc91e
SHA3-384 hash:	0995d2b7ba5b9d4a245871512d8a1dc3bd58ef48843f352139011601ed2fe8bfece4a3a1bf0797d2df31cd9fac9ebb18
SHA1 hash:	5fdce46e7abcdcb186b0378bb5538f054012acb3
MD5 hash:	d494a702c1e3ba71fff991db50a40724
humanhash:	xray-winner-echo-summer
File name:	DHL.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	296'082 bytes
First seen:	2023-03-09 13:09:27 UTC
Last seen:	2023-03-09 14:29:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:KYa6ZgEhUNSh5awi6ixtexWELh48uPOvPk0YJ/W9gh/I:KYEEhcShs56Coou490+MgG
Threatray	2'239 similar samples on MalwareBazaar
TLSH	T10E5412083174C9A7EC7907F2163A64523EFAAC3B55B6830F9714B7543B332D2AA4B716
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9e1f25494b370f0d (2 x Formbook)
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

224

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

DHL.exe

Verdict:

Malicious activity

Analysis date:

2023-03-09 13:23:09 UTC

Tags:

stealer formbook trojan

Link:

https://app.any.run/tasks/f43e27e3-c039-4e2b-aa7b-7275acf28e80

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/372997/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.1976.17858.20645.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6409daaff1a68c396b2e26c1/reports/a2527b19-1c4f-42c7-b9ed-8d5a4bcf74e6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/920a16d2a8e3f31fefc9616d99547362eca7835af553858835166e54736bc91e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b6161a92-e106-4bf9-8cfb-fba238de410c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1190345

Signature

Antivirus detection for URL or domain

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/920a16d2a8e3f31fefc9616d99547362eca7835af553858835166e54736bc91e/

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2023-03-09 08:14:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sifbnuvi4pzr736jmfwzsvdtmlwkpa226vjylcbvczxfi43lzepa._file

Verdict:

malicious

Label(s):

formbook

Formbook

43440434172d5730884fa5f0ae4f7ae73c4815e74618d18bc405d18dd325fed4

Formbook

88043d723394b97599313522b0a2f599f8678529ba0febfebb6642cc966bde94

Formbook

b3fe3de729e3bacd16f951173d7e42ec7fae5bf90909cece61e782282fd96ced

Formbook

b6b4defc23fd79807ed6c5a4e2a111465c3e444a6efd07e837fcfffa4a19b688

Formbook

c4ab14d93e54b2c6e70fa0f284cee729b56186894dfdff4207cbc3d0c690c80f

Formbook

cec7134d68d67d6f7ee0d32945f6ee4eafeb58a68c4769867f212ad879480c22

Formbook

d69b13f1276594f9f10cf722a15179b0d71911a92d15a726e1bdd234a880cf92

Formbook

eedf79769078bf047dbdf03d4c4e352aaebd783624bd8dcf1de29fba4bc51c56

Formbook

f5ae9ee403c63e78514c23cdb6297c09a5367c241f6151def5fe1fc096946de4

Formbook

+ 2'229 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230309-qeenkabd7s/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

6f8579f57e59dd463269dd394cf8b28d4caf5816eb560086249b32adbcbd56de

MD5 hash:

ea61c56d092ef0b864308d22cadd4888

SHA1 hash:

4a918502c4097d74860eced77d96b331723916e8

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/c569133f-9c98-482d-8100-ad3e66b56e85/

Parent samples :

2cee3b34015cda890225c0937db8e9d36372f2f4cd11efe9fbf1770306cf6b3d
920a16d2a8e3f31fefc9616d99547362eca7835af553858835166e54736bc91e
d0ac15eeb53f64ad6f399ead8724f38344daf243332f03790598c6716a04f162

SH256 hash:

7599909ef18a2f043f140fb5e53cf635acefbfce10cacbcc1171070ed46ee097

MD5 hash:

d85e3c5becae6b8348e0233f2353a36a

SHA1 hash:

ca829b0cafebad99d0c177ffee4e4d9704275052

Link:

https://www.unpac.me/results/c569133f-9c98-482d-8100-ad3e66b56e85/

SH256 hash:

b597cc548259767a1a8d215e62f9280fc397423b00ed2ab7d04972f5f6254243

MD5 hash:

da255b731b878318010745dfb45ee88d

SHA1 hash:

bc41ca2dffe914ee70425abdcbf8c7f3f01ce2c6

Link:

https://www.unpac.me/results/c569133f-9c98-482d-8100-ad3e66b56e85/

SH256 hash:

920a16d2a8e3f31fefc9616d99547362eca7835af553858835166e54736bc91e

MD5 hash:

d494a702c1e3ba71fff991db50a40724

SHA1 hash:

5fdce46e7abcdcb186b0378bb5538f054012acb3

Link:

https://www.unpac.me/results/c569133f-9c98-482d-8100-ad3e66b56e85/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/920a16d2a8e3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/920a16d2a8e3f31fefc9616d99547362eca7835af553858835166e54736bc91e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/372997/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample