MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad24fa8fe46848770e3bd8a2c2f084fd36e1916824b875204d7f9f2faa52375b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad24fa8fe46848770e3bd8a2c2f084fd36e1916824b875204d7f9f2faa52375b
SHA3-384 hash: 1f6e6d899c8c9de33b44ac5c5fb0ef948e9999354b1502e9caf6df42b5b498ef1f80d7b4a1ad50fce451ec1343dcbea0
SHA1 hash: 4adcbf339a33c2a5a27fa231c0334ae1cca17ff4
MD5 hash: a04ff069af5adc30efbf068ec95077e3
humanhash: freddie-alpha-uniform-black
File name:DHL Shipment Import DutyTax Payment Alert.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:993'280 bytes
First seen:2021-06-03 12:48:56 UTC
Last seen:2021-06-03 13:40:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:PMOCKAkrOZJ0EetGACIoULaMs7PblgeG+yOBvT:+mq0ESGpI5LiPblgedyO
Threatray 5'622 similar samples on MalwareBazaar
TLSH 82258CF8F198A8B4D15ED732C3909CADEBA152FE53038A6C06A5DA8C1F1378ACF4D455
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
(DHL) Shipment Import DutyTax Payment Alert.ace
Verdict:
Malicious activity
Analysis date:
2021-06-03 00:37:00 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/6214a4aa-eaa4-46a6-bb31-b9b033fffacd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164402/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796688
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 429085 Sample: DHL Shipment Import DutyTax... Startdate: 03/06/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 8 other signatures 2->42 10 DHL Shipment Import DutyTax Payment Alert.exe 3 2->10         started        process3 file4 28 DHL Shipment Impor...yment Alert.exe.log, ASCII 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 DHL Shipment Import DutyTax Payment Alert.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.nelivo.com 66.29.133.79, 49746, 80 ADVANTAGECOMUS United States 17->30 32 www.hymingfeng.com 17->32 34 www.ethereumlp.com 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 wlanext.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ad24fa8fe46848770e3bd8a2c2f084fd36e1916824b875204d7f9f2faa52375b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-02 10:16:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
45
AV detection:
22 of 47 (46.81%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vuspvd7enbehodr33crmf4ee7u3odelies4hkicnp6ps7kssg5nq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1f37ecb6d388f8378e278dc1ee1e29e09760ab46a83d7096f67b79e2af1ac107
Formbook
498ce67ad88b8121b3062ea25ede6550ea4c3bc4f29fab40cbb4c93c20121fb2
Formbook
50961752207e439abf40cf15d11d20f5c3d9b68067e571c3029c7bce69ffe085
Formbook
5e681acaddd90aaecc4edeb8a2fa514475a9ecec9458038d4d9e880a963b126f
Formbook
6a3b624be347bf0f0d4db1f321ab90b322f8c86ce83bb85918f1ea736f0ab12d
Formbook
c2336a135878814b7b9b82146879a4ee8910e0a7e540415cb3716e1f62c1ea41
Formbook
ce84812d0bb4086a806eb6bd6bda53c0656dd74569b1c40251d0ee1f84852460
Formbook
d56c4c2f5d2fb1888a61723b99845f21742ab93794bc0fdcf146a67c33919e1f
Formbook
df9518a17395e5cd3d467eaf82daec28250b168e6b31553b0a60712f05025380
Formbook
ef77a8918ed19e4c73ba620ee2fba77e1058d8b132768ef034dc10322d560aa0
Formbook
+ 5'612 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210603-g7wj76erlx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.semenovdmitriik.club/bwk/
Unpacked files
SH256 hash:
1e7c66f6da06a0ea81371fb98d0e76424a600518b808140279c7ba8e06541ac5
MD5 hash:
8fe0389e4b903545421e42b628186cd2
SHA1 hash:
f6adc3d1a4ac995fad2a49474243d896b0236c2b
Link:
https://www.unpac.me/results/42056359-04c8-4b71-a509-7a0830dceb20/
SH256 hash:
ad24fa8fe46848770e3bd8a2c2f084fd36e1916824b875204d7f9f2faa52375b
MD5 hash:
a04ff069af5adc30efbf068ec95077e3
SHA1 hash:
4adcbf339a33c2a5a27fa231c0334ae1cca17ff4
Link:
https://www.unpac.me/results/42056359-04c8-4b71-a509-7a0830dceb20/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/ad24fa8fe46848770e3bd8a2c2f084fd36e1916824b875204d7f9f2faa52375b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/164402/

Comments