MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bffe6cd24f7300f89fedcd846a4ecd0fd5c39ad3d011cf15776ee49aa38d9e07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bffe6cd24f7300f89fedcd846a4ecd0fd5c39ad3d011cf15776ee49aa38d9e07
SHA3-384 hash: 049a6359decb22bc3fa5f6fab81fd6717461a4a074c2daea14af965ea6c5708207099ff9506bff09a3d42b7302f70c9a
SHA1 hash: 538efb9165b94350d0fe12a0d6715c94049e1d76
MD5 hash: 75ba90602fd529842a7149af56b8aa45
humanhash: eight-texas-fillet-spaghetti
File name:DHL_Shipment_Notification_7124175133_shipping_documents_1241751133.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:764'928 bytes
First seen:2021-04-26 06:02:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:mkjtez8pMd7A0tgF45EDpldZtWxb3KQ10VrrpnOzq6:l5WZ7GFwZn14rr
Threatray 4'831 similar samples on MalwareBazaar
TLSH ACF4E020A3985B55E07EB37D9130051487FAFE22D327D79D7EC9B0EA1A36F810A56B13
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_Shipment_Notification_7124175133_shipping_documents_1241751133.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-26 06:09:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9502a0ce-e403-470f-bbf7-166c3c1839f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/144204/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.17827.27935.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697342
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bffe6cd24f7300f89fedcd846a4ecd0fd5c39ad3d011cf15776ee49aa38d9e07/
Threat name:
ByteCode-MSIL.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2021-04-25 21:52:15 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x77gzuspomaprh7nzwcgutwnb7k4hgwt2ai46flxn3sjvi4ntydq._file
Verdict:
malicious
Similar samples:
05b6ee8ad090962be89b9f9d1c604541bfc1914e94c245bad6f469988eed019c
Formbook
38acc90cd6d33b61b99cca8cf06781e1bd2ab8ffebc3a33e036eca36037d413b
Formbook
395171260fafe84055b84b5cae4ddd1d48ae4c49088867ed7a4e58de2394ac55
Formbook
56368dfb68347ec22ba4d8d1d16e1acc9dbf37acf30803ef92f75f27f0a6a6a5
Formbook
5915848dc0c0e2e649fdc29ed1d3270ec15b78493e9ca9debf5e85a090e533b6
Formbook
6f4fbab85c58d588450bc856ceff3894645e0033b4c4d2684184a8430c01daa4
Formbook
720ffc99aa96c665aae27db46f776476c37ca113db207790579adfd81c73ad05
Formbook
8eb77ec70c44e86607e97ce926cdb4e0610a0199c348fa329dba50bef34d5fc1
Formbook
a14ae718bd486d1db0ac41a00f37ce34808fd267ee1286663a00f1baea7069d5
Formbook
b03f6bc5eec0f24076b3ef2c761b21d75c489ad34c5f94dcffab6d2b4d65263f
Formbook
+ 4'821 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210426-zay9xgwzcj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.thisdomainisnotinuse.com/mcs/
Unpacked files
SH256 hash:
e90a19eba5f2de3ba82f652221105bb0682b07c20abddec487c6f4354ea79c39
MD5 hash:
efb0de4397ea61e17d262e278b53ff86
SHA1 hash:
727fdf2ceb13262d56bdda24a02564fb3e80c8b0
Link:
https://www.unpac.me/results/cd0d84f3-a5d9-49a7-a2f5-e5799a73ad85/
SH256 hash:
bffe6cd24f7300f89fedcd846a4ecd0fd5c39ad3d011cf15776ee49aa38d9e07
MD5 hash:
75ba90602fd529842a7149af56b8aa45
SHA1 hash:
538efb9165b94350d0fe12a0d6715c94049e1d76
Link:
https://www.unpac.me/results/cd0d84f3-a5d9-49a7-a2f5-e5799a73ad85/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/bffe6cd24f7300f89fedcd846a4ecd0fd5c39ad3d011cf15776ee49aa38d9e07

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144204/

Comments