MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6278fa04be065c8a37b80f35ebbafef00de918be694488ac9fc429016486cc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6278fa04be065c8a37b80f35ebbafef00de918be694488ac9fc429016486cc1
SHA3-384 hash: 58a1e6f920e3a896bb40d431d34603eebc2bd0377b6285bb62632b971990bfced76a3660902960e16916bdfdcdf02b54
SHA1 hash: 9fb11d53e5631a39c942c6eff29300d70812a4b6
MD5 hash: 2b43d2febed4af51b4e38c089766b7e2
humanhash: six-autumn-lactose-berlin
File name:DHL AWB & Shipping Document.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'198'592 bytes
First seen:2023-11-26 18:30:53 UTC
Last seen:2023-11-26 20:54:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:EDhOwEjuBDQDodIrohw74kPVQu6Uk7Dc1Ee0sthjIAMqaxRv4FgMey7K:e8YDQDodIrohw74kPVDqE0s3rMq+vygc
Threatray 11 similar samples on MalwareBazaar
TLSH T14A459CE827BC4B1BD7CD16F5A021178D47B0C535B6C7B79A748ABCB52E923124EC2E42
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/460420/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.18689.5438.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching the process to interact with network services
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65638eed2efa450749a70c65/reports/61503d0b-06fb-40f0-9675-ca5a997262e0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c6278fa04be065c8a37b80f35ebbafef00de918be694488ac9fc429016486cc1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8f8abd95-33d5-4e71-95bf-26bc00478609
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1348110
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1348110 Sample: DHL_AWB_&_Shipping_Document.exe Startdate: 26/11/2023 Architecture: WINDOWS Score: 100 26 www.thetruthauthor.com 2->26 28 www.startproblog.com 2->28 30 9 other IPs or domains 2->30 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 5 other signatures 2->52 10 DHL_AWB_&_Shipping_Document.exe 3 2->10         started        signatures3 process4 signatures5 54 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->54 56 Injects a PE file into a foreign processes 10->56 13 DHL_AWB_&_Shipping_Document.exe 10->13         started        process6 signatures7 58 Maps a DLL or memory area into another process 13->58 16 KxmSaUBFElJMRk.exe 13->16 injected process8 process9 18 net.exe 13 16->18         started        signatures10 38 Tries to steal Mail credentials (via file / registry access) 18->38 40 Tries to harvest and steal browser information (history, passwords, etc) 18->40 42 Writes to foreign memory regions 18->42 44 3 other signatures 18->44 21 KxmSaUBFElJMRk.exe 18->21 injected 24 firefox.exe 18->24         started        process11 dnsIp12 32 thetruthauthor.com 111.221.45.33, 80 READYSERVER-SGREADYSERVERPTELTDSG Singapore 21->32 34 startproblog.com 109.234.160.159, 49718, 49719, 49720 O2SWITCHFR France 21->34 36 3 other IPs or domains 21->36
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c6278fa04be065c8a37b80f35ebbafef00de918be694488ac9fc429016486cc1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6278fa04be065c8a37b80f35ebbafef00de918be694488ac9fc429016486cc1/
Threat name:
ByteCode-MSIL.Downloader.ZgRAT
Create hunting rule
Status:
Malicious
First seen:
2023-11-25 03:36:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
14 of 23 (60.87%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yyty7icl4bs4ri33qdzv5o5p54an5eml42kercwj7rbjafsintaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04e3926ce6762b1dc0ce2ea8107a36e9bdda11673ae5b333bccb81a72690a3a1
Formbook
42e2ad1b0ae1c68d812cc652e0167b2b51d51fc33712fba712223704ea609435
Formbook
70b9a33ff0a0015c752ba25d48217462ec82614f8ad333bb0eebe42392bc80a7
Formbook
8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251
Formbook
b5081a6bb5cd550a99f314c6dd7e76cd217473ddfec2f65c1b5ec13a000680b7
Formbook
da92f3184a36b6b1be15d1e93be7c31d173769241d1f3dd98bcfc22796fd9e69
Formbook
daed3dc9b621dc7d62cd2ab8443e18e1cdf93f5db7131c64135ec76769502b7f
Formbook
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231126-w52hxaah85/
Behaviour
Modifies Internet Explorer settings
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
d4e3d2999dcd7f6bbd564df6f323a2ed28738af3a2a1af9e6bed4dc1ae4f9161
MD5 hash:
e701a39527fcfa30121b8f3f465b8b5f
SHA1 hash:
da5579881ec0fb56a909f170fffc06675d74d3fb
Link:
https://www.unpac.me/results/01d08e40-800d-4ca0-b48c-debb43529a98/
SH256 hash:
e8df3261b8dda3b7b41d1ab2108ae2a8b948d1209ec13b9f2f16f4bc28107711
MD5 hash:
9278a506a028bab48b9c1f08a4de5741
SHA1 hash:
1bf711c933e6aa00135e585fbde796c155ef06b8
Link:
https://www.unpac.me/results/01d08e40-800d-4ca0-b48c-debb43529a98/
SH256 hash:
2cded8b9710ef70892c2decf7ac0d72968e64a1a8cd5ef1e907a415aa8f55bca
MD5 hash:
4238965c1219db1538ed8af902789b7c
SHA1 hash:
66546d23818527b1d1abc7e81a52c3296165acfd
Link:
https://www.unpac.me/results/01d08e40-800d-4ca0-b48c-debb43529a98/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/01d08e40-800d-4ca0-b48c-debb43529a98/
SH256 hash:
f0ed206216d989d5bd368ee60386346227780c146a2666c67492da4f865883d8
MD5 hash:
4af57a0b1ce6c0e90aa64900fb1309d6
SHA1 hash:
3457534fa8d461224a21792dc49999086414794f
Link:
https://www.unpac.me/results/01d08e40-800d-4ca0-b48c-debb43529a98/
SH256 hash:
c6278fa04be065c8a37b80f35ebbafef00de918be694488ac9fc429016486cc1
MD5 hash:
2b43d2febed4af51b4e38c089766b7e2
SHA1 hash:
9fb11d53e5631a39c942c6eff29300d70812a4b6
Link:
https://www.unpac.me/results/01d08e40-800d-4ca0-b48c-debb43529a98/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c6278fa04be0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6278fa04be065c8a37b80f35ebbafef00de918be694488ac9fc429016486cc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c6278fa04be065c8a37b80f35ebbafef00de918be694488ac9fc429016486cc1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/460420/

Comments