MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c81190b655f1cd5942ccc5766917c798477a21599ce465aaa8ec04bc98eeb2b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c81190b655f1cd5942ccc5766917c798477a21599ce465aaa8ec04bc98eeb2b9
SHA3-384 hash: 8f2b4178bd49e4a8271c8a68112d2836ab9a5474f99d0f0bc9229080ba9f67d358f9acaea7497830a81790532f317488
SHA1 hash: ecdb459cf0df28e8fc3e7c0238d2f562c9a37a75
MD5 hash: b5046ca7ff13822c29bdaed43364f7b8
humanhash: south-burger-west-maine
File name:DHL AWB TRACKING DETAILS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:854'016 bytes
First seen:2025-04-30 08:15:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ryGaKsGDapOwPpoFArgATbzB/961rg4PLRY6yXT3vv9cIzXh9RfD/o:MJRo6rg8xN4Dgj3vVVX5
TLSH T1BB0501526718F617D5DA1BB81BB1E178037C1ED9B401DA5AAFDA3CFF7976A000D0A283
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
435
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL AWB TRACKING DETAILS.PDF.zip
Verdict:
Malicious activity
Analysis date:
2025-04-29 10:50:25 UTC
Tags:
arch-exec stealer formbook xloader
Link:
https://app.any.run/tasks/f90a2bc5-19a1-44be-bee0-5b7d7f78462f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/5162/
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6811e17ec8b2e86d0ac50d07
Tags:
micro spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6811dc4d218c4a98ade8ecfe/reports/7fae38a2-e7ae-46bc-9219-057ef3a618f5/overview
Verdict:
Malicious
Labled as:
Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/c81190b655f1cd5942ccc5766917c798477a21599ce465aaa8ec04bc98eeb2b9
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0d150a5-7f71-44da-a5d1-5aad11c95ee5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677961
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Process Parents
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677961 Sample: DHL AWB TRACKING DETAILS.exe Startdate: 30/04/2025 Architecture: WINDOWS Score: 100 67 www.themessageart.online 2->67 69 www.pegji.online 2->69 71 7 other IPs or domains 2->71 81 Antivirus detection for URL or domain 2->81 83 Sigma detected: Scheduled temp file as task from temp location 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 8 other signatures 2->87 10 DHL AWB TRACKING DETAILS.exe 7 2->10         started        14 GvreDyIXrAzP.exe 5 2->14         started        signatures3 process4 file5 55 C:\Users\user\AppData\...behaviorgraphvreDyIXrAzP.exe, PE32 10->55 dropped 57 C:\Users\user\AppData\Local\...\tmpD9A4.tmp, XML 10->57 dropped 59 C:\Users\...\DHL AWB TRACKING DETAILS.exe.log, ASCII 10->59 dropped 89 Adds a directory exclusion to Windows Defender 10->89 16 DHL AWB TRACKING DETAILS.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        31 2 other processes 10->31 91 Multi AV Scanner detection for dropped file 14->91 23 schtasks.exe 1 14->23         started        25 GvreDyIXrAzP.exe 14->25         started        27 GvreDyIXrAzP.exe 14->27         started        29 GvreDyIXrAzP.exe 14->29         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 16->73 33 t7hHkSA52p9nkgCuWESCD8.exe 16->33 injected 75 Loading BitLocker PowerShell Module 19->75 36 WmiPrvSE.exe 19->36         started        38 conhost.exe 19->38         started        40 conhost.exe 21->40         started        42 conhost.exe 23->42         started        44 conhost.exe 31->44         started        process9 signatures10 77 Found direct / indirect Syscall (likely to bypass EDR) 33->77 46 notepad.exe 33->46         started        process11 signatures12 93 Tries to steal Mail credentials (via file / registry access) 46->93 95 Tries to harvest and steal browser information (history, passwords, etc) 46->95 97 Modifies the context of a thread in another process (thread injection) 46->97 99 3 other signatures 46->99 49 t7hHkSA52p9nkgCuWESCD8.exe 46->49 injected 53 firefox.exe 46->53         started        process13 dnsIp14 61 www.pegji.online 185.151.30.221, 49735, 49736, 49737 TWENTYIGB United Kingdom 49->61 63 www.kiviliike.org 185.168.212.119, 49727, 49728, 49729 MMD-ASKauppakatu3A4FI Finland 49->63 65 2 other IPs or domains 49->65 79 Found direct / indirect Syscall (likely to bypass EDR) 49->79 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c81190b655f1cd5942ccc5766917c798477a21599ce465aaa8ec04bc98eeb2b9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c81190b655f1cd5942ccc5766917c798477a21599ce465aaa8ec04bc98eeb2b9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 08:57:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zaizbnsv6hgvsqwmyv3gsf6htbdxuikzttsglkvi5qclzghowk4q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250430-j57zgagk5w/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5c9df32a-dbbf-41d9-8e77-907bef245385
Unpacked files
SH256 hash:
c81190b655f1cd5942ccc5766917c798477a21599ce465aaa8ec04bc98eeb2b9
MD5 hash:
b5046ca7ff13822c29bdaed43364f7b8
SHA1 hash:
ecdb459cf0df28e8fc3e7c0238d2f562c9a37a75
Link:
https://www.unpac.me/results/5cbca68a-8237-49b8-a0cf-4d9809a28063/
SH256 hash:
ba43c734e3081e9cb6cc9831d1cfb812a1e7d1c0a3a0df4bf99473a1bbe35533
MD5 hash:
7bc47c691b3031ca52d19b63d5c33f62
SHA1 hash:
b34e6efb7657abc5300db9c32ef6b8b9be9638f2
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5cbca68a-8237-49b8-a0cf-4d9809a28063/
SH256 hash:
d55ddcd782cbf2a12dc53c70efd1089dbc66634ace9144167a2f7e460935a1fe
MD5 hash:
2ff9f42b954972e24ba3b4e36a1407e0
SHA1 hash:
cdbbbecc0986d6a87e82095abc97d559112f4caf
Link:
https://www.unpac.me/results/5cbca68a-8237-49b8-a0cf-4d9809a28063/
SH256 hash:
ef95a02ea91377eb567b7c9a651608e9c2dee8ff798657968a06324ff953c324
MD5 hash:
4db5fd6c530c9f631d1cede7b77314ca
SHA1 hash:
ec0a08c09cbe1fc45f16eb9ebd7fb4a6240b351d
Link:
https://www.unpac.me/results/5cbca68a-8237-49b8-a0cf-4d9809a28063/
SH256 hash:
4cc1f77d85ff19d0ed6933c7a8531fabfce153f1e3a8d06993c4cb5ba92b2f5d
MD5 hash:
980b52051ba3758c821425cfc1f29031
SHA1 hash:
24e68caa2f74e32a7f39543393b365ebdc005db4
Link:
https://www.unpac.me/results/5cbca68a-8237-49b8-a0cf-4d9809a28063/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c81190b655f1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c81190b655f1cd5942ccc5766917c798477a21599ce465aaa8ec04bc98eeb2b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/5162/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments