MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7f5857586780b4dba775eb6d75c03ee627405bbedf03c7e1966ec8abb3f2c6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7f5857586780b4dba775eb6d75c03ee627405bbedf03c7e1966ec8abb3f2c6c
SHA3-384 hash: 6b5bc554e14affee63576e6390551611cac21074aebe120be87b7032e9ebffe9a7c43c0367c6f8cd06205cf208c451a7
SHA1 hash: 336e19aaebc45d4f9bd4dfc6421040c912763bd9
MD5 hash: fa2e701633807a6d3aa31ea52a6d7fd1
humanhash: artist-fifteen-winter-texas
File name:DHL 23-03-2022_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:979'456 bytes
First seen:2022-03-23 19:11:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:pC+HRMmzCBlLKqMvVDyPnDYaSnA7yb1P0U8:Y+xMcCXLKqMvVDiDaAOu
Threatray 13'608 similar samples on MalwareBazaar
TLSH T1722523CD0199AB1AE4FEAABEDCF465554338D9B66503F32D4D80189E15237E88F213A3
File icon (PE):PE icon
dhash icon dadadadaa6a6a6a6 (12 x Formbook, 8 x AgentTesla, 5 x SnakeKeylogger)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/256825/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e0a8edf6-e87a-44c7-b095-129126f18f71
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/963104
Behaviour
Behavior Graph:
n/a
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b7f5857586780b4dba775eb6d75c03ee627405bbedf03c7e1966ec8abb3f2c6c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-23 16:51:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
11 of 42 (26.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w72yk5mgpafu3otxl23noxad5zrhibn35xydy7qzm3wivoz7frwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2bb47abc0ec7e4e48aa80d53e19056c6adbef6b1392b3816aa335364325870fb
Formbook
374874898c5386561d60c3fae0482d1caee783f1096dda6742b1c073175a0a14
Formbook
39d7f0b102aca1db8c71a3a7af79ece2aa2100dbaf1c20237d75e36271833ef2
Formbook
8085268c9f2053c82abbff7add9efff451f11994a1ae313718cdecf2c693da06
Formbook
9f085df3f1da75ba799ca984603fe267f891be8e6ac24c52b907cc97e6879467
Formbook
b10824c56d2ef6aa6af1474f898e5578bb6f6155eb4f9cd63ef3e7fd36c2a827
Formbook
c86f3a2110ed2a8498cf30d4ab88cf9ea18edc612835fe2b369e7596dafb802e
Formbook
d89f28603b8948dd7217e42366328a6e9bd05d59e5de67a4c39f207f8a520d43
Formbook
fce51b6f1f69629c651dfaedbcdcb55d25da39e8184614c1cb26e4c247f6d3ac
Formbook
+ 13'598 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:tumb loader rat
Link:
https://tria.ge/reports/220323-xwh6msach9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
d3c5b45af4728c544bbda0a159e5ea737e5a68352de4805921b687e09246ab61
MD5 hash:
23c6fc28d3bd7cf344337182a8d4150a
SHA1 hash:
b6be993b2bd725ec5946f5790682b8ef2000c97a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b5275b85-9c5d-4d18-9c47-482cc37e1729/
Parent samples :
16d108f51f45ce601a5b10165629fb8fd6893508e03a2288374c2741a9474e11
b7f5857586780b4dba775eb6d75c03ee627405bbedf03c7e1966ec8abb3f2c6c
4526c504931fd9f9f9c96af92f66e58dcc7be31a8be9309c8eb5b5acf2cb5c89
SH256 hash:
dc5c057b0ee1eb079cf189762aac69f0d86338ea18795dc4fbf7ed9b5a45c2eb
MD5 hash:
4103ed94f4747b30e166cf3c25416f47
SHA1 hash:
d553a67056e94f60d621ca42dcecd6d93f9ef1ad
Link:
https://www.unpac.me/results/b5275b85-9c5d-4d18-9c47-482cc37e1729/
SH256 hash:
9b55af607a9946194d9ba6c7e17a828a962402ffb29d47b99e429ff47ee6c1c4
MD5 hash:
1a0b6ffd1049580a461d3d591c520072
SHA1 hash:
bbb44353c47a3ebd6988b38d79478a30129e7bc3
Link:
https://www.unpac.me/results/b5275b85-9c5d-4d18-9c47-482cc37e1729/
SH256 hash:
9180df6a80018efa13442dd4b61f85d1ba5e2522a1b9388e23a0ab0ebb2c9b21
MD5 hash:
ea5beb9d140e5f8272ddf4cd5a06345b
SHA1 hash:
678458af147e5561af6221b242cc5ee3b1cc50de
Link:
https://www.unpac.me/results/b5275b85-9c5d-4d18-9c47-482cc37e1729/
SH256 hash:
b7f5857586780b4dba775eb6d75c03ee627405bbedf03c7e1966ec8abb3f2c6c
MD5 hash:
fa2e701633807a6d3aa31ea52a6d7fd1
SHA1 hash:
336e19aaebc45d4f9bd4dfc6421040c912763bd9
Link:
https://www.unpac.me/results/b5275b85-9c5d-4d18-9c47-482cc37e1729/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/b7f5857586780b4dba775eb6d75c03ee627405bbedf03c7e1966ec8abb3f2c6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/256825/

Comments