MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac1b9a04cfe9e518dbe01cd3d443c922c146da635748268d22fbbf5aa77dddb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	ac1b9a04cfe9e518dbe01cd3d443c922c146da635748268d22fbbf5aa77dddb8
SHA3-384 hash:	d2dc607812345251195d93a7542d5d3c192df5f6ffed972de457410345d4a06b0f8038f49e2f9b16bb3398110fe45608
SHA1 hash:	6934bd8a9e96520f3286263e8034e244c28d538f
MD5 hash:	daa62f426a3ad1fbb2cc30487a7c5bd5
humanhash:	west-mexico-mike-march
File name:	DHL 54W3312288.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	934'912 bytes
First seen:	2022-08-13 06:17:45 UTC
Last seen:	2022-08-13 06:40:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:u62t3gmitQ6SbstIt3WavAKCpGU+b5WnIPfE99/niYG6g:HkHFfbswpvJG+IIPc9v//g
TLSH	T1E115D54CDEAA2459EE329E33D7B319B509393F05283D584EB283DE0E45B764DE420B5B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

315

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

DHL 54W3312288.exe

Verdict:

Malicious activity

Analysis date:

2022-08-13 06:21:46 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/34adb65f-aff8-4100-9e47-c86dc6868bb5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/298361/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.40093.25709.453.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching a process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62f7425ef6ec33747da1c333/reports/be9c1cd9-3ed3-4d29-9544-db4607703379/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/72335cb7-11d7-4f3b-b1e4-103a6a10abba

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1050951

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Deletes itself after installation

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/ac1b9a04cfe9e518dbe01cd3d443c922c146da635748268d22fbbf5aa77dddb8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-08-12 15:58:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vqnzubgp5hsrrw7adtj5iq6jelaunwtdk5ecndjc7o7vvj353w4a._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220813-g2ms1shad5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks computer location settings

Unpacked files

SH256 hash:

e0aec059a6c18c5423ca9956b8cdd811a6d7a50dbd72ec9797ebe7dce2dd72f3

MD5 hash:

528f186d9e0380069c54da4a800d7757

SHA1 hash:

6ce9cc80d6d0b29d212de1d979994ea001f6de8a

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/6f41de6f-0f2a-40ab-a5dd-17062ee2203c/

Parent samples :

17db5b7a915bf4295ef9e087230ee520b643939fa904a8e7ea466bd9807adeae
ac1b9a04cfe9e518dbe01cd3d443c922c146da635748268d22fbbf5aa77dddb8
574369cdf26d81c66cbea5ec53aa5ec441d8a807e77f5b897f5d47c93e4aa673
cc32195794bc18fddf37508bacebf98ef27bfd857ce90c94966a0ae931ba8e29
766bd5c135146cb1756ef4fc4e5f546a8df631cbbe6d46058df2507141a815ae
ad3b435747bb04357281c56301e19121812bbf6c6464127e3f855de2bbaf41fc
1f3880429631ec09ce9b9eb5bec40252989fade63949482fc0b74e7dcd47d034
1953141dacacdb78b26b51ad716668724a4396be2f1cf35094925c6892321211
c573532411bbcb708cb6f4a0553ae8b84226f9bd0896e27641e2e5962dd84bbf

SH256 hash:

2086d634e6d1b9b203e93e977f8025ccf8a7b9c5554e047e62e1913f46e43be3

MD5 hash:

9e789345b6c99da228762a746dbcccde

SHA1 hash:

e088188c1c2a9aebd2a22c63fe3b4b0042d2cce7

Link:

https://www.unpac.me/results/6f41de6f-0f2a-40ab-a5dd-17062ee2203c/

SH256 hash:

18eb60c0eb3e1c610526d9f4b42684ac36a2ebb521514a8770dca2f2afd7f471

MD5 hash:

7ca239778f9f46d28b08876564dba525

SHA1 hash:

973b0d0d98a83b7dfcf1bfce04a179b0f070b98c

Link:

https://www.unpac.me/results/6f41de6f-0f2a-40ab-a5dd-17062ee2203c/

SH256 hash:

0e71ce16d868adbbf6a4cdf95125a8601c58d4d9258d654051792a3065bf8497

MD5 hash:

15f4826972cc6e23682f34f99ac3098d

SHA1 hash:

25e4c81aaa922ce3665517a71e9f1a0fbc426a43

Link:

https://www.unpac.me/results/6f41de6f-0f2a-40ab-a5dd-17062ee2203c/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/6f41de6f-0f2a-40ab-a5dd-17062ee2203c/

SH256 hash:

ac1b9a04cfe9e518dbe01cd3d443c922c146da635748268d22fbbf5aa77dddb8

MD5 hash:

daa62f426a3ad1fbb2cc30487a7c5bd5

SHA1 hash:

6934bd8a9e96520f3286263e8034e244c28d538f

Link:

https://www.unpac.me/results/6f41de6f-0f2a-40ab-a5dd-17062ee2203c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/ac1b9a04cfe9e518dbe01cd3d443c922c146da635748268d22fbbf5aa77dddb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/298361/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample