MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99dfa5a36a438daadbbfd9c087e5a005287e5a2b25668ba57a7e78d34b1c3b0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99dfa5a36a438daadbbfd9c087e5a005287e5a2b25668ba57a7e78d34b1c3b0b
SHA3-384 hash: 6b84192d246466ed24155a1846affed8c8d788d14a400fcc5914ac7cb879b678552e91d42f40d06ce66625dbe9aac354
SHA1 hash: 4e387d8e24c09e3cb230396cc9d19ec440160d61
MD5 hash: 9adc00f6d3ebe3969f229d7898d8338f
humanhash: foxtrot-robert-florida-six
File name:INV-DHL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:412'606 bytes
First seen:2022-02-03 11:58:15 UTC
Last seen:2022-02-03 12:27:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:5wOXv3kMLrYtJg7goBXcyIJErMgL9k2oOKZiixuIV+97WmOIJO5xtqa20XAYm:l/vHgJugQMTJEwWMOK4Ii9GIJO5u4X9m
Threatray 13'244 similar samples on MalwareBazaar
TLSH T103948BB2E1F144D5D826C6701967AD2122F76E6DDCF84209EABFB72597B22C3305780B
File icon (PE):PE icon
dhash icon e39688020b0a2436 (1 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/232162/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
DNS request
Searching for synchronization primitives
Setting browser functions hooks
Searching for the window
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7dfa2a7c-f196-4cc0-9c2b-afdaa91ce709
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933275
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99dfa5a36a438daadbbfd9c087e5a005287e5a2b25668ba57a7e78d34b1c3b0b/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-03 08:29:25 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=thp2li3kiog2vw573haipznaauuh4wrlevtixjl2pz4ngsy4hmfq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0030293612e1420d3d979e1ae8eb222cc8bcd7e357e1e5c0c3121c6218fa35be
Formbook
2ed8aeaf73ee1a3caf7eb0be7814868c4100efbe1b021e2d964db3b638dc7f3c
Formbook
50771a013c968d61b8e3111da3cb205f1d8878031c63bdbaaddaa87308a3e290
Formbook
5cd0836a13fa804b548a110f168438da7dffd9c4fb5cc0036241f57bd7c5954d
Formbook
8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9
Formbook
8eedc524cbcf57998c67472c72d0db19becad221e770bea32486deb9661d3fd4
Formbook
a00b8665cf484b38e9d12d40208001acd1b890250be4bbcc78807eeedf6c408d
Formbook
bc09ecf5cb6364f4d053ec0420282fa6e7a1649a8a5ca2af2ca933aa27f8b90c
Formbook
ec575e5cdf3da323c27e65f3042586173ca50ba0682b733a61f0b47f80c3004e
Formbook
+ 13'234 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220203-n5q36sgfh8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
d98ec63d3f10382fb973110b64818f1a38c5f19be437e1606507c0cfa3ad8760
MD5 hash:
1914bae3abaaf3d20ebd5351fa0c5d4f
SHA1 hash:
b2f64eef79bff1b7e07a03aa3769bf518e164e75
Link:
https://www.unpac.me/results/d7e7f138-fc2a-4fd0-8abc-647fd1d9fa64/
SH256 hash:
99dfa5a36a438daadbbfd9c087e5a005287e5a2b25668ba57a7e78d34b1c3b0b
MD5 hash:
9adc00f6d3ebe3969f229d7898d8338f
SHA1 hash:
4e387d8e24c09e3cb230396cc9d19ec440160d61
Link:
https://www.unpac.me/results/d7e7f138-fc2a-4fd0-8abc-647fd1d9fa64/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/99dfa5a36a43/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99dfa5a36a438daadbbfd9c087e5a005287e5a2b25668ba57a7e78d34b1c3b0b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 99dfa5a36a438daadbbfd9c087e5a005287e5a2b25668ba57a7e78d34b1c3b0b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/232162/

Comments