MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9521b1dc80ef859b3a563bb1def4e3a7d6307b1d9f09f78b4dd2689593d868ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9521b1dc80ef859b3a563bb1def4e3a7d6307b1d9f09f78b4dd2689593d868ed
SHA3-384 hash: 2d47be71925104a501801b0a842fe56990bcf1f5e9b6575aafc067b59cb6c2c4aacc02325f629ff10613a4c4ec81af83
SHA1 hash: 364139b933ccf9ac16f593196f17953710e983b9
MD5 hash: bf3587cec82eb675530a5306b8778ef7
humanhash: oscar-mexico-jig-paris
File name:DHL EXPRESS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'225'728 bytes
First seen:2022-04-20 09:12:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:z2WA6sDJXPdY7IZLQyKnq+x7vXruOY6CM:iW3sVFZSD
Threatray 15'735 similar samples on MalwareBazaar
TLSH T14C455B4E320B8921FA942330EBB7A31927908EBDC9A1970727F9B17DD53A379194077D
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eadaaabaaaa28c8e (4 x Formbook, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264903/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/625fce79eab80a7a6c49432f/reports/794a7eaa-a457-466c-b79d-8132c9ecbb2f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26b0512f-1d8b-4552-9a65-eff82b20f950
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/979456
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 611944 Sample: DHL EXPRESS.exe Startdate: 20/04/2022 Architecture: WINDOWS Score: 100 65 www.cursosminharendaextra.com 2->65 67 cursosminharendaextra.com 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for dropped file 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 6 other signatures 2->75 11 DHL EXPRESS.exe 1 6 2->11         started        signatures3 process4 file5 59 C:\Users\user\...\Firefox Installer.exe, PE32 11->59 dropped 61 C:\Users\user\AppData\...\DHL EXPRESS.exe.log, ASCII 11->61 dropped 63 C:\...\Firefox Installer.exe:Zone.Identifier, ASCII 11->63 dropped 85 Writes to foreign memory regions 11->85 87 Injects a PE file into a foreign processes 11->87 15 RegAsm.exe 11->15         started        18 cmd.exe 1 11->18         started        signatures6 process7 signatures8 95 Modifies the context of a thread in another process (thread injection) 15->95 97 Maps a DLL or memory area into another process 15->97 99 Sample uses process hollowing technique 15->99 101 2 other signatures 15->101 20 explorer.exe 15->20 injected 22 wscript.exe 15->22         started        25 conhost.exe 18->25         started        27 timeout.exe 1 18->27         started        process9 signatures10 29 Firefox Installer.exe 4 20->29         started        32 Firefox Installer.exe 3 20->32         started        34 colorcpl.exe 20->34         started        36 autochk.exe 20->36         started        77 Tries to detect virtualization through RDTSC time measurements 22->77 process11 signatures12 89 Writes to foreign memory regions 29->89 91 Injects a PE file into a foreign processes 29->91 38 RegAsm.exe 29->38         started        41 cmd.exe 29->41         started        43 cmd.exe 32->43         started        45 RegAsm.exe 32->45         started        93 Tries to detect virtualization through RDTSC time measurements 34->93 47 cmd.exe 34->47         started        process13 signatures14 79 Modifies the context of a thread in another process (thread injection) 38->79 81 Maps a DLL or memory area into another process 38->81 83 Sample uses process hollowing technique 38->83 49 conhost.exe 41->49         started        51 timeout.exe 41->51         started        53 conhost.exe 43->53         started        55 timeout.exe 43->55         started        57 conhost.exe 47->57         started        process15
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9521b1dc80ef859b3a563bb1def4e3a7d6307b1d9f09f78b4dd2689593d868ed/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-20 07:45:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=suq3dxea56czwoswhoy555hdu7lda6y5t4e7pc2n2jujle6yndwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
232a16efaec47e6d4fc8f5318ed9d9d58198daef519f30a5d9147d38f293638c
Formbook
5f8d69976e4d3c9b6508cd376dcab4971a605d8d1122952ad604f7b48d2ef1e1
Formbook
7a975e0983903a474303dfbab00a6ccd3a5f9f3339fb1d756aa36f5172361e7c
Formbook
841c900cb4b5f163f77a80953d1dfc4d3f97125be41ad23ac4674b11f1f533e6
Formbook
9cd0bbacb06bc4a961772ad5dac574736247fa7604116855118ecabb6926643b
Formbook
d3fae1feacb2e75560f838099213ae33385d6a0a11caa222a4f09024721e2720
Formbook
e3c2718738a6d4d07664a951dee401b2c4e9416ac6a989f6aa21c3564fdaf241
Formbook
e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c
Formbook
eccce6ae6f8a2ed3c5edc1ede824681a9d4b9499139e4c00f2a85ca4684cec17
Formbook
+ 15'725 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:m9me loader persistence rat suricata
Link:
https://tria.ge/reports/220420-k57jdaahgj/
Behaviour
Delays execution with timeout.exe
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
7a961549c03b5ed7598878351c90d7f8a0a8a5db03738352acf7cdbd11638db6
MD5 hash:
ca59f75118d211c9d33fec26d10b11a8
SHA1 hash:
83c554830c555e0fb43d8f14062a34a5103fdbf0
Link:
https://www.unpac.me/results/0ac65de4-cc4b-47f6-9537-837fff767009/
SH256 hash:
6d7c4a899914d55722aaa79b97565d71cd3c6ba59e960d76cf5e7f8b13eb54d0
MD5 hash:
d9d53c4204e5fd5b8847a3dc8d97c769
SHA1 hash:
cebb91dcc18c89844a180b4cbed017b65b57134d
Link:
https://www.unpac.me/results/0ac65de4-cc4b-47f6-9537-837fff767009/
SH256 hash:
82cac963ac09a9a98b6f51e1c1f4a9be1467c9ca6549290bd3be236ad99cff50
MD5 hash:
489dbc1dbb7bfd72a212d396f9737dbf
SHA1 hash:
4ff65fe08d18c8459cedbc6a4d311202b19d28aa
Link:
https://www.unpac.me/results/0ac65de4-cc4b-47f6-9537-837fff767009/
SH256 hash:
9521b1dc80ef859b3a563bb1def4e3a7d6307b1d9f09f78b4dd2689593d868ed
MD5 hash:
bf3587cec82eb675530a5306b8778ef7
SHA1 hash:
364139b933ccf9ac16f593196f17953710e983b9
Link:
https://www.unpac.me/results/0ac65de4-cc4b-47f6-9537-837fff767009/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9521b1dc80ef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9521b1dc80ef859b3a563bb1def4e3a7d6307b1d9f09f78b4dd2689593d868ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264903/

Comments