MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b321a1ea7cd14d6f159deef8feca34bcd4820ff2dbbf935be2003ced08a06d5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b321a1ea7cd14d6f159deef8feca34bcd4820ff2dbbf935be2003ced08a06d5e
SHA3-384 hash: e56b28f9b0e532d3ffba4a7fcf9ccd538242443a2ea5bc80b9ff3c4437642eb839f388359a78b57d2af94307ba70dcd3
SHA1 hash: 16cb24fd3d3755e191e2351e5b7d10d09dc67f91
MD5 hash: 14a7622d624114455125aa2cca26bf90
humanhash: green-carpet-april-oscar
File name:DHL-Parcel Arrival NO GKM3684800048.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:768'512 bytes
First seen:2023-08-08 06:54:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:8sveiF9Dt9hdZgWrIgsNkWtx8eaSEbUZTLWpXThACfacgL2jh:Zvei7h7tM8eZSKW/j1j
Threatray 3'477 similar samples on MalwareBazaar
TLSH T1AEF40101772CAF62E1F593F9187A24444BF1746E39AAEA680CD670CF5EB2F104A51F1B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL-Parcel Arrival NO GKM3684800048.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-08 07:01:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/32ed7e0d-5134-46c2-b64d-556496e9f48d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441212/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.27992.19231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b321a1ea7cd14d6f159deef8feca34bcd4820ff2dbbf935be2003ced08a06d5e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a9604c4-8502-411f-aebe-b5678bf2051e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1287473
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b321a1ea7cd14d6f159deef8feca34bcd4820ff2dbbf935be2003ced08a06d5e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-08 06:55:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wmq2d2t42fgw6fm5534p5sruxtkied7s3o7zgw7caa6o2cfanvpa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03e156f16efbda2a891a6519a282ad085325d498695287ee92ad056f7d1c2422
Formbook
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
Formbook
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
Formbook
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
Formbook
7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c
Formbook
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
Formbook
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
Formbook
d0331b41b50c6134c07ad1ce0b33029ab18ca28e340577728e7818c2d1abeba6
Formbook
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
Formbook
ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198
Formbook
+ 3'467 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230808-hpszyaba94/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
c4d44988b9e2fe1ea1ccede9b0348a722fa04dd0236f3bf7ec40c2641fa50826
MD5 hash:
9ff9fb13d168016dd3e7f80a7100fc89
SHA1 hash:
1a8c7781fdb00560295ab65a02cc57a86520aaa7
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a51e8070-954a-4c13-99bf-b223d5a64580/
Parent samples :
b321a1ea7cd14d6f159deef8feca34bcd4820ff2dbbf935be2003ced08a06d5e
ccc8ed7866ebf89380c45861e50f095db3acf900fa4cf797e1a5de78cf6051aa
fd82749104473f4be5f7498f2a751f4090f999c50ae63e114ea49067c2b16185
17cd5809bd3abd8c512b094c8bb0b1b9d02fd5fb84b874916c6adf69944c3af5
SH256 hash:
3aa0a74ef4b6a60cb8478ecfa0ed27157667941bfbc6df79d2211b4a699ed9eb
MD5 hash:
3db464a4bffe4d6611c58dd8c5f9a8b1
SHA1 hash:
5ba304ea33e345a19ed29bafcd0e80c46348750b
Link:
https://www.unpac.me/results/a51e8070-954a-4c13-99bf-b223d5a64580/
SH256 hash:
1d4ef92940095ce5abd862ddf54fc5b5223e08dd96c0387c2bd2210f25e92963
MD5 hash:
f9337ea20e5973c9376b8ff35804e35e
SHA1 hash:
b6713a3f755af6fc8342cd11c08e67dc48af5751
Link:
https://www.unpac.me/results/a51e8070-954a-4c13-99bf-b223d5a64580/
SH256 hash:
0a6bd230f852b0ea44610bf025b8a6388b50281a53c605782f02db246ab8423b
MD5 hash:
9f1bce530f26ae3644830b6ee8a58c07
SHA1 hash:
acafe183f3b5af3e5eba3c1160fae890e2b2a979
Link:
https://www.unpac.me/results/a51e8070-954a-4c13-99bf-b223d5a64580/
SH256 hash:
284ff63d6a7e09eed7e01097842a560e7af633cc682645e2815b04ec147b6409
MD5 hash:
dc0b98819ee4f012109a086779edadfb
SHA1 hash:
6d0251b579a6a3579a5efb5a672863c85505520b
Link:
https://www.unpac.me/results/a51e8070-954a-4c13-99bf-b223d5a64580/
SH256 hash:
b321a1ea7cd14d6f159deef8feca34bcd4820ff2dbbf935be2003ced08a06d5e
MD5 hash:
14a7622d624114455125aa2cca26bf90
SHA1 hash:
16cb24fd3d3755e191e2351e5b7d10d09dc67f91
Link:
https://www.unpac.me/results/a51e8070-954a-4c13-99bf-b223d5a64580/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b321a1ea7cd14d6f159deef8feca34bcd4820ff2dbbf935be2003ced08a06d5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b321a1ea7cd14d6f159deef8feca34bcd4820ff2dbbf935be2003ced08a06d5e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/441212/

Comments