MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca
SHA3-384 hash: b7b5e00a2f13367b093f7b42a29c5695e27b4377d1b0916403f4b42c892f02af8e43def7ea5f77f91d7e3ce87676cea5
SHA1 hash: ec6991d91ed7165a4090bf16a017d35a763fcba2
MD5 hash: b2bafd32e0fce3fc29be04b2781fb09c
humanhash: lemon-sad-pizza-connecticut
File name:Pending DHL Shipment Notification REF 82721.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'026'048 bytes
First seen:2021-08-27 14:20:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:XC5a3WRbpQzUT+/HTF7z6EH+AZPo/gz0/9iFiyjS1H/6zS0AJ0AMM:XQWc+/HR7uAZigz0cFiyjU6zS0AJ0N
Threatray 8'474 similar samples on MalwareBazaar
TLSH T16425A13D29BD2227D1B9C7B6CBE0C837F4549CAF3111AA6454D39B6A5346E8235C323E
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pending DHL Shipment Notification REF 82721.exe
Verdict:
Malicious activity
Analysis date:
2021-08-27 14:21:05 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/b3d49d6d-23a3-4028-b78f-ac2d48b8eaad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182934/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching the process to change network settings
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/673e2f8f-97a3-4609-bb7c-e729abefa724
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840438
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 472869 Sample: Pending DHL Shipment Notifi... Startdate: 27/08/2021 Architecture: WINDOWS Score: 100 35 yourrealtorcoach.com 2->35 37 www.yourrealtorcoach.com 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 7 other signatures 2->51 11 Pending DHL Shipment Notification REF 82721.exe 3 2->11         started        signatures3 process4 signatures5 59 Injects a PE file into a foreign processes 11->59 14 Pending DHL Shipment Notification REF 82721.exe 11->14         started        process6 signatures7 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 Queues an APC in another process (thread injection) 14->67 17 explorer.exe 14->17 injected process8 dnsIp9 29 www.hdzj365.xyz 17->29 31 yamalo.club 95.215.210.10, 49720, 80 NEWIT-ASRU Russian Federation 17->31 33 12 other IPs or domains 17->33 41 System process connects to network (likely due to code injection or exploit) 17->41 43 Performs DNS queries to domains with low reputation 17->43 21 raserver.exe 17->21         started        signatures10 process11 dnsIp12 39 192.168.2.1 unknown unknown 21->39 53 Modifies the context of a thread in another process (thread injection) 21->53 55 Maps a DLL or memory area into another process 21->55 57 Tries to detect virtualization through RDTSC time measurements 21->57 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 14:21:05 UTC
AV detection:
14 of 44 (31.82%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtbyye72lrhhpcnvgtngnh3k75dot6vedtvms7wt33vhzkkastfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534
Formbook
132167fd6c334c13919991a82a38645572a9d58c5f83cb1ddf0fcf41e37d2105
Formbook
366b6d23b6e536c3b8bd769edbebc2e7dc26e38e75ac85a32a7b4512f585b68f
Formbook
435b924af18dce67e3fbc2b55fc515b839fe883da2e10fd3c8c21859a1181d64
Formbook
7f0599ad186f76d0d5ae5daf5e713747281b1b631bfef0cb340b2977ed53d253
Formbook
aba30cfb1f3ce3760e9cbd42f49cafa3582d349d690f1ee91674e2998f4b290e
Formbook
ac57d8cb242185bd11b7b0ab898c06f7904e0e0a0d9c39edd3b136c902bf394a
Formbook
fa7a3ac64a6c26f248d805abfb0961bfe6518df6dcb3212de51593b92d5e4158
Formbook
+ 8'464 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ssee loader rat
Link:
https://tria.ge/reports/210827-6fknxdftje/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.idt-metrofireandsecurity.com/ssee/
Unpacked files
SH256 hash:
fe4ed2a81e8d978e5af169b4144f115f27e039f4d56f627ec25dcdf3468bc1ef
MD5 hash:
84869db9efc28228fd5932c0a33a9aac
SHA1 hash:
33b9d49e3eb86dbd7b9bac6b2580bc69d251b611
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bb563a98-1bd7-4ced-b851-2af2442291c7/
Parent samples :
1c49c90dceca146ee0b95fab3873e38bcda5b46b550a59f8ba2ccf5984a11b92
fa7a3ac64a6c26f248d805abfb0961bfe6518df6dcb3212de51593b92d5e4158
435b924af18dce67e3fbc2b55fc515b839fe883da2e10fd3c8c21859a1181d64
132167fd6c334c13919991a82a38645572a9d58c5f83cb1ddf0fcf41e37d2105
0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534
9744a8f624cc86bce830db5caf4a5a8b2263b51f53ca384908b2557e5f9ce99d
7f0599ad186f76d0d5ae5daf5e713747281b1b631bfef0cb340b2977ed53d253
71d1fda394f185684d721f59017634f981e972964f1b4c23366fa28c1da4307f
366b6d23b6e536c3b8bd769edbebc2e7dc26e38e75ac85a32a7b4512f585b68f
f7c1ecf2c6e90d8a9a0ac0972b0ab02ca809a85da65d51b46f56a4c81cc4996e
aba30cfb1f3ce3760e9cbd42f49cafa3582d349d690f1ee91674e2998f4b290e
ac57d8cb242185bd11b7b0ab898c06f7904e0e0a0d9c39edd3b136c902bf394a
69a08fcc2b3eb5499a9356a801bb646d7726dc158cba7f141335997f374ead38
a73336c8fc448bd54031998ad8cbda50f452c3c8a1600623a43e07ce6476b3d5
b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca
2465cbd2ae3adb04f06a069fef61acc098096ef1f33cece8076d059b106f7b3a
63abf2ffa58c2c36920a2be604c77ac2a25b2bd5d1d6ba9d81338da21418ff10
e426d0d32845bb665740831128bcb5109a588544acf73317f5ee3bce6e5f486f
42c496ed24bc4b1abd0d647105d7931b9b18b9ce638550dcc5e96fa0cd69dc4c
a9d0de4abec8a5d9f13b203b8f4bcc0dcd101fb5f5f89ea910414d4cc16391ab
169a316f9557b3a154c1cbc1ab4aae2b690d71fd197ff39ac77e58c7e7db4196
fdd78bbf6d05b69fbdcaa24727822f1ec7e9b652266ac34ed69916537e6aeff2
ee5ab13a8694e1883f2e4f1509580d2cd01b6041ef78da9e1524f8b4eaee6ed5
c221c9dcc6e6a5c53181b072958ebe173ac1781861fb1d95ed1734def6322972
b5821114ae6e03e71fa7cc2dc293aa7f8a5563ebb4a2151194b2acb9eed4758d
61364951cb7faf165eaadcb66f8e124a689f5f298ec5f2d9539206904d1194b8
1fad173e519f8c7cb34093e926807794765789e79d377e89ffe201ae8d76dd99
13c385c3a7e1297c506764e1b956a5aa568590389356140c92e2a2cb953bffe5
6ec3a910864aa91b0bec91275ffc3ef7e3dcc0e1c7f247624514b1c9d4c16992
9dbcb6d140d0fd1db131b3f086eb8ee6dc9d0dcdd325f36b48aea1495408e2a2
91a28bbaaaed3acd39f0c37cf091e0a4e3a54ac5f00b4c26c5d3af44c9bc3fb3
cb32d42bcbcc716d12c9926bd3aab2def79f4dc2774f2f04234d95b2b4849e86
def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/bb563a98-1bd7-4ced-b851-2af2442291c7/
SH256 hash:
0ea8b28111df7f85fb132bd70378e5195b7c0166db592235f655481aef861c63
MD5 hash:
83e6a50e131cd96bc3a1cc9d7c6fd1ca
SHA1 hash:
dcf6d0116d6998ccf24229d6ebb39ad61f07d9dc
Link:
https://www.unpac.me/results/bb563a98-1bd7-4ced-b851-2af2442291c7/
SH256 hash:
b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca
MD5 hash:
b2bafd32e0fce3fc29be04b2781fb09c
SHA1 hash:
ec6991d91ed7165a4090bf16a017d35a763fcba2
Link:
https://www.unpac.me/results/bb563a98-1bd7-4ced-b851-2af2442291c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/182934/

Comments