MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdf513cd2e97cb60bc6497c6a6155aa36ab7a32636b3f7d87715f988cd68feab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	bdf513cd2e97cb60bc6497c6a6155aa36ab7a32636b3f7d87715f988cd68feab
SHA3-384 hash:	b5dac30f77aa3e704376ec649a611175e6ccd209312c41d685dd72369dcbb4ef611c26002814bdebf848a6f425bc5b5d
SHA1 hash:	fa93c27150f657a82af452eb57590f00532a9303
MD5 hash:	50bd9732dd027a7a5939f915b2c1f3e8
humanhash:	mars-seventeen-west-twenty
File name:	DHL Express shipping DOC.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	712'704 bytes
First seen:	2023-08-02 08:56:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:E+uZVKYmJ+375RLaTMrhLrAEQLCaWT4deDAkcMyZ228kYA/SXmPwcknaD5:E+uzKYmQ3759aTGhAEkVWT4Acn4/qwcr
Threatray	3'612 similar samples on MalwareBazaar
TLSH	T11CE4122026B49BB9C92F1BBE1C700050137067BA32B4F7BE8F8675E55A75B821715EF2
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	e2e29a86e6ea8686 (13 x AgentTesla, 5 x Formbook, 2 x Loki)
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL Express shipping DOC.exe

Verdict:

Suspicious activity

Analysis date:

2023-08-02 09:03:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a29883a4-d371-4454-9e6e-0e1c3bf8a923

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/439790/

Detection(s):

SecuriteInfo.com.Trojan.Generic.34057361.20304.3060.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64ca1a60cbfeb5bd5751241c/reports/64854195-1fb4-4d87-ad39-1b6208c0823b/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/bdf513cd2e97cb60bc6497c6a6155aa36ab7a32636b3f7d87715f988cd68feab

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5400ec74-fd12-4d46-a17c-82bea3ef5b3a

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1284257

Signature

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bdf513cd2e97cb60bc6497c6a6155aa36ab7a32636b3f7d87715f988cd68feab/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-07-31 14:15:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xx2rhtjos7fwbpdes7dkmfk2unvlpizgg2z7pwdxcx4yrtli72vq._file

Verdict:

malicious

Label(s):

formbook

Formbook

1a166a2469e8634ab832469a47076affd97eec7d5b4855f33879960e559a235d

Formbook

3adaefb94e006670d66c9675ecf47b65a27bc39325bf96432c79ce47d473edcc

Formbook

490129df3b9f148b27f875a33d9e4d584a3470250d46b5ef5bfee336644081b0

Formbook

4bc2162ae0ae133d359603b912865d8ed2f26029421a7dcfcf734f2aee216923

Formbook

679e687ae1611a7eb7d00d06c9f8ae37b9168838c9ff9b822174f6b0de6304d0

Formbook

72d3a95a59ccd8220e04850fb54fdc48caa51c10739d96afa48ab5446303dc07

Formbook

73ff2753b011fd1295ce8a2ca311a308bdc993e95258fe0b93ee353b08e58403

Formbook

95c058c714f6b443f68eedc24f78b9b5b834b4e4d77dbc20666684bc6d2e321d

Formbook

e3643d141c0e87b3304f3b015f1e8dbbbe273e9a8bb93906991fe61a3073f891

Formbook

+ 3'602 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230802-kwky1sdg62/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

0a715e9748587e85691c13f847a8e1bfa219db51434caa70fa0ae89ee3e85ac5

MD5 hash:

f00c7ba26caad0623f198080c2e0acde

SHA1 hash:

34877efef97e197b106efda6131089696334145a

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/98180b87-3d5c-40c3-b5dd-bfc459241828/

Parent samples :

4bc2162ae0ae133d359603b912865d8ed2f26029421a7dcfcf734f2aee216923
73ff2753b011fd1295ce8a2ca311a308bdc993e95258fe0b93ee353b08e58403
bdf513cd2e97cb60bc6497c6a6155aa36ab7a32636b3f7d87715f988cd68feab
0fa6047b89faa0096bac58ca8733687cd676b31cd75675654e4e0343ca8ae8c6
131c69adaff732d878e0396149be53da15e8e155daafe995259385c6c28f605b
74eb5168cf1f711833750d0e0f5a25a97cceda943944da21ecc8f1b697ab4e43
41b09d1202db4dfb8db58a5cd9f68953db7d7547fab1c76234b3dd95cfac318e
2d504d5142b27bb57b54d806c01d890fafcc5ba3e41a9a38094ae426c63fb362

SH256 hash:

70f1f71c4ef3234d5a68ec1c7b4455f07031fa44980021d42576798f8008d718

MD5 hash:

d8268f5fb982dc3e522ea4e800edfe56

SHA1 hash:

aa8d82f98d2f3a7df63e7f632a39dffcbefa10a2

Link:

https://www.unpac.me/results/98180b87-3d5c-40c3-b5dd-bfc459241828/

SH256 hash:

6cf753f40707113e2cf6480ac327d6187b439aaee539138c4faa10fb90d042ed

MD5 hash:

4f39797f58b1f8f82f852753ba64c86d

SHA1 hash:

8157432fa57845220b15100ca7132b58a221d56e

Link:

https://www.unpac.me/results/98180b87-3d5c-40c3-b5dd-bfc459241828/

SH256 hash:

190d10201410fc18054de7f17a4cabdfb593ff9bfcef49ba84bba4f42e4238d0

MD5 hash:

c63755c0167db419facbab9004c6ffc8

SHA1 hash:

40b860af3797e7470a818176e87b497c3ad803be

Link:

https://www.unpac.me/results/98180b87-3d5c-40c3-b5dd-bfc459241828/

SH256 hash:

02699e1561dcd305cd38a58855ac9ff3425edda4614c82cf990504a05df95377

MD5 hash:

f0fcc25d5878fddb5d4c7c75ad5239d6

SHA1 hash:

16db600549e037f75a078e7df1ea509e7979465c

Link:

https://www.unpac.me/results/98180b87-3d5c-40c3-b5dd-bfc459241828/

SH256 hash:

bdf513cd2e97cb60bc6497c6a6155aa36ab7a32636b3f7d87715f988cd68feab

MD5 hash:

50bd9732dd027a7a5939f915b2c1f3e8

SHA1 hash:

fa93c27150f657a82af452eb57590f00532a9303

Link:

https://www.unpac.me/results/98180b87-3d5c-40c3-b5dd-bfc459241828/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bdf513cd2e97cb60bc6497c6a6155aa36ab7a32636b3f7d87715f988cd68feab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/439790/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample