MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c221c9dcc6e6a5c53181b072958ebe173ac1781861fb1d95ed1734def6322972. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 13
| SHA256 hash: | c221c9dcc6e6a5c53181b072958ebe173ac1781861fb1d95ed1734def6322972 |
|---|---|
| SHA3-384 hash: | 4375abfb4b6d4c5055a875ad97d5b3597642d9c71674ed10162fc44a0f6f7c08c91aaef61e2f8e0492983181750d5d9a |
| SHA1 hash: | 5f88268dc7b92d844d3d3f147e1632d7ea38bd45 |
| MD5 hash: | 28c9f08c441d28e1b49c8aa7b40131ff |
| humanhash: | queen-saturn-michigan-mobile |
| File name: | Pending DHL Shipment Notification REF 9-02-21.exe |
| Download: | download sample |
| Signature | Formbook |
| File size: | 680'448 bytes |
| First seen: | 2021-09-03 06:21:25 UTC |
| Last seen: | 2021-09-03 08:24:16 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger) |
| ssdeep | 6144:PD3PMZNcwvzPoMIxg4mS4Z9U/6dwSIZCs4ZazbDMMQ3MTRSW+ZFJLgGM:PbSNcsoMiguoq/++QszbrQ3MT/+ |
| Threatray | 8'842 similar samples on MalwareBazaar |
| TLSH | T129E42D3E18FE23279176C7E6CBE48823F6C498AF3133A96567D747254316A4674C322E |
| Reporter |  lowmal3 |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
2
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pending DHL Shipment Notification REF 9-02-21.exe
Verdict:
Malicious activity
Analysis date:
2021-09-03 06:22:55 UTC
Tags:
trojan formbook stealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
DNS request
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a system process
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Detection:
xloader
Threat name:
ByteCode-MSIL.Spyware.Noon
Status:
Malicious
First seen:
2021-09-03 06:22:14 UTC
AV detection:
9 of 43 (20.93%)
Threat level:
2/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 8'832 additional samples on MalwareBazaar
Result
Malware family:
xloader
Score:
10/10
Tags:
family:xloader campaign:ssee loader rat
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.idt-metrofireandsecurity.com/ssee/
Unpacked files
SH256 hash:
fe4ed2a81e8d978e5af169b4144f115f27e039f4d56f627ec25dcdf3468bc1ef
MD5 hash:
84869db9efc28228fd5932c0a33a9aac
SHA1 hash:
33b9d49e3eb86dbd7b9bac6b2580bc69d251b611
Detections:
win_formbook_g0
win_formbook_auto
Parent samples :
1c49c90dceca146ee0b95fab3873e38bcda5b46b550a59f8ba2ccf5984a11b92
fa7a3ac64a6c26f248d805abfb0961bfe6518df6dcb3212de51593b92d5e4158
435b924af18dce67e3fbc2b55fc515b839fe883da2e10fd3c8c21859a1181d64
132167fd6c334c13919991a82a38645572a9d58c5f83cb1ddf0fcf41e37d2105
0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534
9744a8f624cc86bce830db5caf4a5a8b2263b51f53ca384908b2557e5f9ce99d
7f0599ad186f76d0d5ae5daf5e713747281b1b631bfef0cb340b2977ed53d253
71d1fda394f185684d721f59017634f981e972964f1b4c23366fa28c1da4307f
366b6d23b6e536c3b8bd769edbebc2e7dc26e38e75ac85a32a7b4512f585b68f
f7c1ecf2c6e90d8a9a0ac0972b0ab02ca809a85da65d51b46f56a4c81cc4996e
aba30cfb1f3ce3760e9cbd42f49cafa3582d349d690f1ee91674e2998f4b290e
ac57d8cb242185bd11b7b0ab898c06f7904e0e0a0d9c39edd3b136c902bf394a
69a08fcc2b3eb5499a9356a801bb646d7726dc158cba7f141335997f374ead38
a73336c8fc448bd54031998ad8cbda50f452c3c8a1600623a43e07ce6476b3d5
b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca
2465cbd2ae3adb04f06a069fef61acc098096ef1f33cece8076d059b106f7b3a
63abf2ffa58c2c36920a2be604c77ac2a25b2bd5d1d6ba9d81338da21418ff10
e426d0d32845bb665740831128bcb5109a588544acf73317f5ee3bce6e5f486f
42c496ed24bc4b1abd0d647105d7931b9b18b9ce638550dcc5e96fa0cd69dc4c
a9d0de4abec8a5d9f13b203b8f4bcc0dcd101fb5f5f89ea910414d4cc16391ab
169a316f9557b3a154c1cbc1ab4aae2b690d71fd197ff39ac77e58c7e7db4196
fdd78bbf6d05b69fbdcaa24727822f1ec7e9b652266ac34ed69916537e6aeff2
ee5ab13a8694e1883f2e4f1509580d2cd01b6041ef78da9e1524f8b4eaee6ed5
c221c9dcc6e6a5c53181b072958ebe173ac1781861fb1d95ed1734def6322972
b5821114ae6e03e71fa7cc2dc293aa7f8a5563ebb4a2151194b2acb9eed4758d
61364951cb7faf165eaadcb66f8e124a689f5f298ec5f2d9539206904d1194b8
1fad173e519f8c7cb34093e926807794765789e79d377e89ffe201ae8d76dd99
13c385c3a7e1297c506764e1b956a5aa568590389356140c92e2a2cb953bffe5
6ec3a910864aa91b0bec91275ffc3ef7e3dcc0e1c7f247624514b1c9d4c16992
9dbcb6d140d0fd1db131b3f086eb8ee6dc9d0dcdd325f36b48aea1495408e2a2
91a28bbaaaed3acd39f0c37cf091e0a4e3a54ac5f00b4c26c5d3af44c9bc3fb3
cb32d42bcbcc716d12c9926bd3aab2def79f4dc2774f2f04234d95b2b4849e86
def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c
fa7a3ac64a6c26f248d805abfb0961bfe6518df6dcb3212de51593b92d5e4158
435b924af18dce67e3fbc2b55fc515b839fe883da2e10fd3c8c21859a1181d64
132167fd6c334c13919991a82a38645572a9d58c5f83cb1ddf0fcf41e37d2105
0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534
9744a8f624cc86bce830db5caf4a5a8b2263b51f53ca384908b2557e5f9ce99d
7f0599ad186f76d0d5ae5daf5e713747281b1b631bfef0cb340b2977ed53d253
71d1fda394f185684d721f59017634f981e972964f1b4c23366fa28c1da4307f
366b6d23b6e536c3b8bd769edbebc2e7dc26e38e75ac85a32a7b4512f585b68f
f7c1ecf2c6e90d8a9a0ac0972b0ab02ca809a85da65d51b46f56a4c81cc4996e
aba30cfb1f3ce3760e9cbd42f49cafa3582d349d690f1ee91674e2998f4b290e
ac57d8cb242185bd11b7b0ab898c06f7904e0e0a0d9c39edd3b136c902bf394a
69a08fcc2b3eb5499a9356a801bb646d7726dc158cba7f141335997f374ead38
a73336c8fc448bd54031998ad8cbda50f452c3c8a1600623a43e07ce6476b3d5
b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca
2465cbd2ae3adb04f06a069fef61acc098096ef1f33cece8076d059b106f7b3a
63abf2ffa58c2c36920a2be604c77ac2a25b2bd5d1d6ba9d81338da21418ff10
e426d0d32845bb665740831128bcb5109a588544acf73317f5ee3bce6e5f486f
42c496ed24bc4b1abd0d647105d7931b9b18b9ce638550dcc5e96fa0cd69dc4c
a9d0de4abec8a5d9f13b203b8f4bcc0dcd101fb5f5f89ea910414d4cc16391ab
169a316f9557b3a154c1cbc1ab4aae2b690d71fd197ff39ac77e58c7e7db4196
fdd78bbf6d05b69fbdcaa24727822f1ec7e9b652266ac34ed69916537e6aeff2
ee5ab13a8694e1883f2e4f1509580d2cd01b6041ef78da9e1524f8b4eaee6ed5
c221c9dcc6e6a5c53181b072958ebe173ac1781861fb1d95ed1734def6322972
b5821114ae6e03e71fa7cc2dc293aa7f8a5563ebb4a2151194b2acb9eed4758d
61364951cb7faf165eaadcb66f8e124a689f5f298ec5f2d9539206904d1194b8
1fad173e519f8c7cb34093e926807794765789e79d377e89ffe201ae8d76dd99
13c385c3a7e1297c506764e1b956a5aa568590389356140c92e2a2cb953bffe5
6ec3a910864aa91b0bec91275ffc3ef7e3dcc0e1c7f247624514b1c9d4c16992
9dbcb6d140d0fd1db131b3f086eb8ee6dc9d0dcdd325f36b48aea1495408e2a2
91a28bbaaaed3acd39f0c37cf091e0a4e3a54ac5f00b4c26c5d3af44c9bc3fb3
cb32d42bcbcc716d12c9926bd3aab2def79f4dc2774f2f04234d95b2b4849e86
def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c
SH256 hash:
9a569be1313734a7a5657149f890204e1246833e80ac0e45c15b9ebc972cfa99
MD5 hash:
db1ca79a10eb8debc020653b67a41ed4
SHA1 hash:
c9aff868749946879d85e0c75c11a085d3c244c2
SH256 hash:
ee24a7ee66e57ff62737dc570f1982dc217904e88f33912faaf88127b930e6c7
MD5 hash:
02d3a951199282ddd7c87247a332c326
SHA1 hash:
6fad4fceaa9460196adc5a8281ebdba4c6c4de87
SH256 hash:
c221c9dcc6e6a5c53181b072958ebe173ac1781861fb1d95ed1734def6322972
MD5 hash:
28c9f08c441d28e1b49c8aa7b40131ff
SHA1 hash:
5f88268dc7b92d844d3d3f147e1632d7ea38bd45
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.