MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7d611273db5e420a16cb29ec9a204c9b483aa6b954e51a01b9aa7b732ccde1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7d611273db5e420a16cb29ec9a204c9b483aa6b954e51a01b9aa7b732ccde1f
SHA3-384 hash: d3bdd3fbb72ef52a3993a71f3f6aa77970555de9fac89f915169092e8a2b0b7e7526af3f008a02bbb46ddec40d860bf0
SHA1 hash: 75aeba5982cfc0f20177633075bc26ece1096b84
MD5 hash: fa24ca1fe342222df1cb13cb3c161d88
humanhash: johnny-five-tennis-pennsylvania
File name:DHL Invoice Details_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:851'968 bytes
First seen:2022-10-19 06:07:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:CWt9svoGei5QfUZ01BtBCLlK4rQrrIcUv+Gc2+wlGOfKFDyfMssn1P0:E/n5Q8GAh/qkpvZc2FYDx
TLSH T10505E12A35AF8F12C3685677C0C3541893B98B3656B2D74B350101F56A0ABDBFE46BCB
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 9cc2d9c9ec6c9cf2 (6 x Formbook, 3 x SnakeKeylogger, 2 x AgentTesla)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL Invoice Details_pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-10-19 06:24:10 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/f0fb89df-59e4-458f-bc28-9c549e359a68

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321601/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.18687.25592.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker packed
Link:
https://www.filescan.io/uploads/634f9444339362a6061b0d62/reports/e37edc94-45f3-4510-ba45-49a0e0d0b269/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2532849-abdb-4697-a542-85cb36aedfa1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1093249
Signature
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7d611273db5e420a16cb29ec9a204c9b483aa6b954e51a01b9aa7b732ccde1f/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 19:54:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 40 (55.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y7lbcjz5wxscbilmwkpmtiqezg2ihktlsvhfdia3tkt3omwm3ypq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:g1z0 rat spyware stealer trojan
Link:
https://tria.ge/reports/221019-gvwscaehb8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7a828746-a390-4a08-8c2b-2fc4d1d37aaa
Unpacked files
SH256 hash:
e1095a272063f93ac810e7893e39a20eaa1ef81d65d732bc65ed73ae4e8e8c4b
MD5 hash:
ea8c48008eb78fa1c23feed5e16a0f2b
SHA1 hash:
92712c5f9ba1bebd067a65e26c1b5b0f55aa55be
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/042d6e17-f751-48f5-97c1-8e8bf0d7f9f1/
Parent samples :
249648c3d1865eeee6209f48ab94869edc1ad441d5fd46fbbef6913531661029
b695eab40ab9b439be45698e13e09d975d9c4db69b7de66a55721e4d20947c6b
c7d611273db5e420a16cb29ec9a204c9b483aa6b954e51a01b9aa7b732ccde1f
adfa5fb06da957f5543cb4ba562957341f76207fbdf849fdff35f719f1987d4b
d5b506a06cd81e98b0ac084d04cf2eeb448dac247c0fe6570f5986c4dffd9554
51c1577d4a3d58361d9ea44c9655f1e2a6f010ec0a43ca53c78794e814b3810f
8ce549ad71a516c07dcd28af4d56ccb1561db53fe35189fb355c76240423c551
46cbbf73c50dd90268f30bec98085b53402a7de7d0911f4045fb286162687e60
5ad9445244f588ce57159dd37b47a7404c6226a11cfe9283204effb956bd050a
4ae8aa5632e5c9ff2554935e00849c5a66440c03b0fbd4ca8c73dd725c842024
SH256 hash:
7098c31908b95f35518d45c0c3f4acac87ae1e374ba2a23783d01bf08187b4c1
MD5 hash:
0c8ea0a360483278c7b0a92997ae5be1
SHA1 hash:
fb27a25e2d1bcfc846c3ae56b396a305f8a01fa7
Link:
https://www.unpac.me/results/042d6e17-f751-48f5-97c1-8e8bf0d7f9f1/
SH256 hash:
00626eb6b070eca52946194be86986439343b654404f8ce6e9fbbbf2aae1b83e
MD5 hash:
fec3e79beb9a7c3be3a55bd78784065d
SHA1 hash:
d70f6c0ed8f91d5c5155239792ca1d63233423e5
Link:
https://www.unpac.me/results/042d6e17-f751-48f5-97c1-8e8bf0d7f9f1/
SH256 hash:
478cc7a3ca906be9888f29fc06e959e7de7f760cda070ea35297ad3b7a6f82d3
MD5 hash:
6699d351aac54bf811c91be5fed16e71
SHA1 hash:
a66e053f8e88bb8c15d643d095acd21a8bc6d5e8
Link:
https://www.unpac.me/results/042d6e17-f751-48f5-97c1-8e8bf0d7f9f1/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/042d6e17-f751-48f5-97c1-8e8bf0d7f9f1/
SH256 hash:
13613d8fc1c9ae64f5af589720871fac59b87537f9e8582c6b9a7b79e29c3781
MD5 hash:
f551b9b44ed9ab0044115fcbc1d25676
SHA1 hash:
0827b950a8f8ddc301a867eb0eb58adf3806458a
Link:
https://www.unpac.me/results/042d6e17-f751-48f5-97c1-8e8bf0d7f9f1/
SH256 hash:
c7d611273db5e420a16cb29ec9a204c9b483aa6b954e51a01b9aa7b732ccde1f
MD5 hash:
fa24ca1fe342222df1cb13cb3c161d88
SHA1 hash:
75aeba5982cfc0f20177633075bc26ece1096b84
Link:
https://www.unpac.me/results/042d6e17-f751-48f5-97c1-8e8bf0d7f9f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/c7d611273db5e420a16cb29ec9a204c9b483aa6b954e51a01b9aa7b732ccde1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c7d611273db5e420a16cb29ec9a204c9b483aa6b954e51a01b9aa7b732ccde1f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321601/

Comments