MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c261ace97411301444d9dfa50d29f9a0328e83ddf45bf15128ad9d796d050461. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c261ace97411301444d9dfa50d29f9a0328e83ddf45bf15128ad9d796d050461
SHA3-384 hash: bbc485bd78cc83e94912f7be4b0e98cc03ba8efc1addb4a0889b60033f4eeea5820a209035608284134420c07cfa636b
SHA1 hash: 02f4722d98277480d4d128e3321f156e0471bdde
MD5 hash: d500caad040c54a8a064bb1ae1e02277
humanhash: oregon-nevada-victor-juliet
File name:DHL Shipment Delivery Notification 27-9-23.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:330'949 bytes
First seen:2023-09-28 06:35:50 UTC
Last seen:2023-09-28 06:36:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep 6144:BnPdudwDs9iDkylpSqHCJLYFn+dBfSVuMKdWKPcmr5tT/RIQzNfov32ZzjWusiD/:BnPdw9iAmpbHCJLQneBaW8KPc2tlIQzp
Threatray 2'259 similar samples on MalwareBazaar
TLSH T1E764124A1365E57BD5B21A781B774BB88BE7A0285CF8830E238C1F4DBC234A35D1967D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:DHL exe FormBook payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
287
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL Shipment Delivery Notification 27-9-23.exe
Verdict:
Malicious activity
Analysis date:
2023-09-28 08:37:45 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/f926405a-ba05-4bd3-8942-ea478f978f1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451725/
Detection(s):
Sanesecurity.Rogue.0hr.20230927-1636.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a custom TCP request
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Gathering data
Verdict:
Likely Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/65151ed632ffdb7a7a17233c/reports/d04e9bcb-1d92-4b1c-aac9-4c07205e0c53/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c261ace97411301444d9dfa50d29f9a0328e83ddf45bf15128ad9d796d050461
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15dd8de1-0fe6-4f91-a360-4a91820237d6
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1315672
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1315672 Sample: DHL_Shipment_Delivery_Notif... Startdate: 28/09/2023 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 9 other signatures 2->56 11 DHL_Shipment_Delivery_Notification_27-9-23.exe 18 2->11         started        process3 file4 32 C:\Users\user\AppData\Local\...\wdjjinav.exe, PE32 11->32 dropped 14 wdjjinav.exe 11->14         started        process5 signatures6 66 Multi AV Scanner detection for dropped file 14->66 68 Maps a DLL or memory area into another process 14->68 70 Tries to detect virtualization through RDTSC time measurements 14->70 17 wdjjinav.exe 14->17         started        process7 signatures8 42 Modifies the context of a thread in another process (thread injection) 17->42 44 Maps a DLL or memory area into another process 17->44 46 Sample uses process hollowing technique 17->46 48 Queues an APC in another process (thread injection) 17->48 20 explorer.exe 5 1 17->20 injected process9 dnsIp10 34 saspresence.perf1.com 81.92.80.55, 49837, 80 NAMESHIELDFR France 20->34 36 www.1wapws.top 190.115.24.78, 49840, 80 DDOS-GUARDCORPBZ Belize 20->36 38 12 other IPs or domains 20->38 58 System process connects to network (likely due to code injection or exploit) 20->58 24 WWAHost.exe 12 20->24         started        signatures11 process12 dnsIp13 40 www.sqiyvdrx.cfd 24->40 60 Modifies the context of a thread in another process (thread injection) 24->60 62 Maps a DLL or memory area into another process 24->62 64 Tries to detect virtualization through RDTSC time measurements 24->64 28 cmd.exe 1 24->28         started        signatures14 process15 process16 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c261ace97411301444d9dfa50d29f9a0328e83ddf45bf15128ad9d796d050461/
Threat name:
Win32.Trojan.InjectorX
Create hunting rule
Status:
Malicious
First seen:
2023-09-27 09:51:31 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yjq2z2luceybirgz36sq2kpzuazi5a656rn7cujivwoxs3ifarqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03ffe862ddce5d29a530979327b5c41e8d952c0785cc02578061fe234543519f
Formbook
190090b95e7c9b2410ceb2149bb1c4369550963e56693e331bda3d020a0018e2
Formbook
244da7e5507e828266a961e3f4bd165f1b8c408463157d6c1e01bef1cf162034
Formbook
369de2afba1e4a4807ac66f57dfb436ec13cd46a5c09f6a4d7faedc788d04be7
Formbook
5f4316e6d654f612b1aa557b15eae6502979697bcd4cdc101b49c2297a6dca14
Formbook
b799dc2f99d7cf59b9379f6ac7b32fe0852d2eab2386d20799c3085d38a576a5
Formbook
dc5eb730f1df702be89804ca234b60fec5fed7b6ed8d6c719f7006f40775f888
Formbook
f2f5aed974966a3e0339b2092b7b128e22032b8d1bb6a9395a110a710a52acc7
Formbook
+ 2'249 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:sn26 rat spyware stealer trojan
Link:
https://tria.ge/reports/230928-hcxscsge8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
1b990c7256969865617929a408a88709db6de3f9fb1c435b6d255940e54e1f00
MD5 hash:
d9360632962b8f895b4f33b76de6438e
SHA1 hash:
0a205e7d5436f0914a3000de9801424625a2eda4
Link:
https://www.unpac.me/results/b74cc28d-fb17-4cbe-a95c-c78546f20189/
SH256 hash:
c261ace97411301444d9dfa50d29f9a0328e83ddf45bf15128ad9d796d050461
MD5 hash:
d500caad040c54a8a064bb1ae1e02277
SHA1 hash:
02f4722d98277480d4d128e3321f156e0471bdde
Link:
https://www.unpac.me/results/b74cc28d-fb17-4cbe-a95c-c78546f20189/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c261ace97411/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c261ace97411301444d9dfa50d29f9a0328e83ddf45bf15128ad9d796d050461

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r00 07daaf1983dc5ad5374f4776d4e1a3f74a8933891cf1b497129358702bdbc33a

Formbook

Executable exe c261ace97411301444d9dfa50d29f9a0328e83ddf45bf15128ad9d796d050461

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 07daaf1983dc5ad5374f4776d4e1a3f74a8933891cf1b497129358702bdbc33a
  
Dropped by
SHA256 0f28c5c9c5bf46aa924bae25c5d528b883320396d1804fde139aab6ad9586ea2
Cape
Cape
https://www.capesandbox.com/analysis/451725/
  
Dropped by
MD5 414af2fa03d933fe78c66163336038f1
  
Dropped by
MD5 0d54213b4415bf58a2e1f809295f92fe

Comments