MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda
SHA3-384 hash: 8cf153ebd4a945ce237f44d62f9cdb75ab6e15bb34f576cc0a4ec9976dddcf8f7e8343653ca8df3f86e3dd92a85d038b
SHA1 hash: cb18ae993705667f646be62e79f9862894491cfa
MD5 hash: 5a048df8ca7be1e9c9ad96683a4041d2
humanhash: oxygen-robert-mississippi-crazy
File name:DHL Shipping Form.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:761'856 bytes
First seen:2023-05-30 07:45:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:7URP2B0xTGlxNqvNu2hZ+nUEsn9GolVkmwdvjjx1UwO7x5Ejer7ftcs87rqwCphG:7wPLaVUH999Ghr9lO7Uj47ftcsY+hjoJ
Threatray 3'086 similar samples on MalwareBazaar
TLSH T13FF422946AA7804FD28B4BB4599477B861ED6BC8B933E72B0D0B96E1DF1B70F1180349
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0060696969714410 (13 x AgentTesla, 7 x SnakeKeylogger, 7 x Loki)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL Shipping Form.exe
Verdict:
Malicious activity
Analysis date:
2023-05-30 07:52:44 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/7eb3c88c-b633-40f4-8c81-eaa73ebb2d69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393374/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2060.3741.27990.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6475a9bc6dd70dc931d859dc/reports/94a59df2-1820-4597-86d2-0ae5e2f2b137/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5dc54478-c0f5-4406-b2bb-01fbae7e4c40
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245096
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 878103 Sample: DHL_Shipping_Form.exe Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 31 www.careerguru.academy 2->31 33 careerguru.academy 2->33 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 7 other signatures 2->47 11 DHL_Shipping_Form.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\DHL_Shipping_Form.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 DHL_Shipping_Form.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 3 1 15->18 injected process9 dnsIp10 35 www.independentdentist.network 18->35 37 www.hradvocaciacriminal.com 18->37 39 4 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Uses netsh to modify the Windows network and firewall settings 18->51 22 netsh.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 02:46:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vkxzj24go6llommhdi2qh5yh2ce2umid276drd6gs2mxwnb4jxna._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02b060c393fbc76a082ef0411f28e2be60bce1af80ea2df91f003e9b8a762b88
Formbook
0368b2ffa6991460a59b03edcd2ef71c423a27d4902b2222248bc0935776614d
Formbook
12827a41d1bccb41a635ea9837a5eade7efadf556069b2bd734dbbfe7fa408bd
Formbook
4dce4459e53e569a20c892efadb0424a4698bf5f67d16e7b73668dc2e172663e
Formbook
5291498ba10bc71f5bb08fe5c67d085c24008589c09c6c28faf4dbf222ef5a3a
Formbook
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
Formbook
7cdbc9e74ca8d6119202864a709809712505bac9f32b6d60c552f01a1ac090c3
Formbook
a8982b67f297cc68ff3f3de02cc7b60d51c8b4a3db85971ce4f73149fe67b6ee
Formbook
bca5d8c8e6b1abbf2f9ed462fda3dc22c4f3b37ef2bd6f2bd6772c00fe7dc1af
Formbook
e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b
Formbook
+ 3'076 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ga36 rat spyware stealer trojan
Link:
https://tria.ge/reports/230530-jlzhzsgc55/
Behaviour
Enumerates system info in registry
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
99ff6a37c82585c6d2e90f20e415fbb8764e9df8bca8652a7d9a737deca7377f
MD5 hash:
ebc66d0c2c7e09625cdd91510a42e3fa
SHA1 hash:
79a9b8db3e511aad276601fa7f90d34b7decfb91
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/6f763f6c-2ba0-4816-bd2a-d993f0be3f6d/
Parent samples :
e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b
12827a41d1bccb41a635ea9837a5eade7efadf556069b2bd734dbbfe7fa408bd
aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda
841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410
9f7df9aa07cfd95be6465d8234bae2a1332e7627932b0b345962a766a696212d
0e724a5112ed91fceef060ac76d69321020734afb2902e512b2c5698123faf94
SH256 hash:
3ffb8eed03c7c966e5e8e6be9a9ef0aa34b2446142a0b81415fa3c13a44ca4b1
MD5 hash:
c8f61add11955f3f4aae37e24f804b7a
SHA1 hash:
dd4dc6598d69df627ee5f39d58fc7992b26d69f4
Link:
https://www.unpac.me/results/6f763f6c-2ba0-4816-bd2a-d993f0be3f6d/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/6f763f6c-2ba0-4816-bd2a-d993f0be3f6d/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
d22292c3e730925a19961964d0c013400ad2c2b5c884df5e2c98ba880f539802
MD5 hash:
6d33570a88f195d576dbe4628f4bd554
SHA1 hash:
4160fe1ae3220c826b3e6db5c0644e4a92b55cdd
Link:
https://www.unpac.me/results/6f763f6c-2ba0-4816-bd2a-d993f0be3f6d/
SH256 hash:
f65d6c87102a18d7897c08ba82697e0b4808a8307b584d25a42aea016a41e7f8
MD5 hash:
7299310139d8fd6d9f2c067d13b3824e
SHA1 hash:
3bbc1160b82f289b5e8683d790a2ec1263998930
Link:
https://www.unpac.me/results/6f763f6c-2ba0-4816-bd2a-d993f0be3f6d/
SH256 hash:
aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda
MD5 hash:
5a048df8ca7be1e9c9ad96683a4041d2
SHA1 hash:
cb18ae993705667f646be62e79f9862894491cfa
Link:
https://www.unpac.me/results/6f763f6c-2ba0-4816-bd2a-d993f0be3f6d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aaaf94eb8677/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393374/

Comments