MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7138f9f3ae6acefe470ffa5f2c209b6b64b340b4549ab255f163de20c6e8ea7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7138f9f3ae6acefe470ffa5f2c209b6b64b340b4549ab255f163de20c6e8ea7
SHA3-384 hash: d98efae26480a732604b0ade5d81420d5a5e67d4b23ae7ad521e8d75067e337a60f18e8cf2eb73b972e3f2c57d99755d
SHA1 hash: cf149b66a79fdd8e6173e7fa7f2692dcc56fbde9
MD5 hash: 85375a27bce42dfca17f1f2b951270af
humanhash: eight-failed-equal-texas
File name:DHL Receipt_AWB811470484760.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:222'640 bytes
First seen:2022-09-05 12:19:01 UTC
Last seen:2022-09-11 01:17:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:PmvWauGGUAsbbRXa4d9yEZ69VaHz3sz+uIZnEUmMc:vLU74N+zQ+9ZnEUmMc
Threatray 17'785 similar samples on MalwareBazaar
TLSH T1C724CF8C7650B98FC467C832DDD95C249BA07CAB5B17C243A09732AD8A1C7D7CF162E6
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
357
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL Receipt_AWB811470484760.exe
Verdict:
Malicious activity
Analysis date:
2022-09-05 12:22:15 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/fadee487-290f-4328-ae68-aa3f7c9059cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/307881/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.3319.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6315e979c0ca34ef4c5106d4/reports/ef9ee748-c919-4b53-abd2-dec24eb3c1f4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b176352a-44e7-4db4-93b2-95aaf5634346
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065139
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 697666 Sample: DHL Receipt_AWB811470484760.exe Startdate: 05/09/2022 Architecture: WINDOWS Score: 100 27 www.julesbasimine.org 2->27 29 www.lsautomotive.co.uk 2->29 31 julesbasimine.org 2->31 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 5 other signatures 2->47 8 DHL Receipt_AWB811470484760.exe 1 2->8         started        signatures3 process4 file5 25 C:\...\DHL Receipt_AWB811470484760.exe.log, ASCII 8->25 dropped 61 Writes to foreign memory regions 8->61 63 Allocates memory in foreign processes 8->63 65 Injects a PE file into a foreign processes 8->65 12 cvtres.exe 8->12         started        15 cvtres.exe 8->15         started        17 cvtres.exe 8->17         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 12->67 69 Maps a DLL or memory area into another process 12->69 71 Sample uses process hollowing technique 12->71 73 Queues an APC in another process (thread injection) 12->73 19 wlanext.exe 13 12->19         started        23 explorer.exe 12->23 injected process9 dnsIp10 33 www.8901r.com 19->33 49 Tries to steal Mail credentials (via file / registry access) 19->49 51 Tries to harvest and steal browser information (history, passwords, etc) 19->51 53 Modifies the context of a thread in another process (thread injection) 19->53 55 Maps a DLL or memory area into another process 19->55 35 eatingdisorderstest.site 64.190.62.22, 49726, 80 NBS11696US United States 23->35 37 nineodesign.com 148.251.83.25, 49725, 80 HETZNER-ASDE Germany 23->37 39 8 other IPs or domains 23->39 57 System process connects to network (likely due to code injection or exploit) 23->57 59 Performs DNS queries to domains with low reputation 23->59 signatures11
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a7138f9f3ae6acefe470ffa5f2c209b6b64b340b4549ab255f163de20c6e8ea7/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-09-05 02:44:32 UTC
AV detection:
12 of 40 (30.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4jy7hz242wo7zdq76s7fqqjw23ewnalive2wjk7cy66eddor2tq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
24dbe688a855d9f0c1db91574e24837ab537b63a2e69c8a55240b14f151e5ed2
Formbook
28ef8e19f33ee91bd8cd2e0fcbc9b9cf328313c543f65aaeb116646916e99fb0
Formbook
4994e7acf451ce7d8abdccb79cce806011f09bd49a811fcd2689f32a51fdee09
Formbook
74866c9e39b3fc10fa60155dad5cfb2e6b98c8d938349584ff6c358bf69c8482
Formbook
ab68c3f1654e49a32d6750b88ee3f472fe69aa1691998b2bcb76936d054a215a
Formbook
c5f31d9d3c1a204926f1a87c5873b01ba37153af5e55594ac5037091d56026ac
Formbook
d015b72e6a79afa9891854efd51cb2603c191956a347e81c58a36aa8add08bca
Formbook
ed5c10e99c4b9d88ee7ae866f6b6a1df1aae0630da5aac64e1994e30d7a15778
Formbook
f958e4ed4aeeb30bdff566e749d1f0974e8a2d01cd3782eae9134c85f39b4f0f
Formbook
+ 17'775 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220905-pg6pdsbdh2/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
3d2618453994863dfb46e5f94c6c58aed6caa6b0817757df7b7336d924d5fc1a
MD5 hash:
679a8e402b506a4b35c3eda11cae9d3e
SHA1 hash:
4da07fc895b4e32298d32c7514ad2ee5412797f5
Detections:
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d4b7ec92-f8bc-4255-8f00-15fffab51fb1/
Parent samples :
78435f2945c300d729e1a4648ef3e750dac4ad3d26fa9e7f05998ec78a698969
d015b72e6a79afa9891854efd51cb2603c191956a347e81c58a36aa8add08bca
4dedd48971ab795ed071cb84b38f894f1844c5f2f05ec08b3fd693b7d906bf20
a7138f9f3ae6acefe470ffa5f2c209b6b64b340b4549ab255f163de20c6e8ea7
19255e5c288e089f6d5832588e3350a6f432938a8911b4f07f1d82b345c006a3
SH256 hash:
a7138f9f3ae6acefe470ffa5f2c209b6b64b340b4549ab255f163de20c6e8ea7
MD5 hash:
85375a27bce42dfca17f1f2b951270af
SHA1 hash:
cf149b66a79fdd8e6173e7fa7f2692dcc56fbde9
Link:
https://www.unpac.me/results/d4b7ec92-f8bc-4255-8f00-15fffab51fb1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7138f9f3ae6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7138f9f3ae6acefe470ffa5f2c209b6b64b340b4549ab255f163de20c6e8ea7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a7138f9f3ae6acefe470ffa5f2c209b6b64b340b4549ab255f163de20c6e8ea7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/307881/

Comments