MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccc5b256bd8bd09fb241407caee97afda894f2a884b533f3634324e7b87da47e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccc5b256bd8bd09fb241407caee97afda894f2a884b533f3634324e7b87da47e
SHA3-384 hash: 14fd6beb898eb2d22849682f9bb98f49f68a8925c26cf60ce4d9e182bc4602968668620fcaad839730c5efffd74e84fd
SHA1 hash: 5e4b578b12ad2e64dcd70217d5cae9cf5a215bf1
MD5 hash: 1f39178c29ff3aa896ed3727c3d2b64a
humanhash: mountain-avocado-nebraska-yankee
File name:Dhl notification.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'139'712 bytes
First seen:2021-12-17 15:21:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:RKc2qBrxam5UUUUUUUi1Bdz/z+AuSK3FoWntWxVedHPiHqhWm+aGih5Y8HRUUUUo:MVqrzNXCDSK3FoWnPVIQW1au8H+1
Threatray 10'696 similar samples on MalwareBazaar
TLSH T13335078525AD3B25FD7953F800AA6C94C3BA7D2A717EC68D4CC330E72973F924850A5B
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214833/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/61bcab1fa2eae65b861f29ce/reports/cb4a1fd7-7785-42ac-94d4-cabef3efb898/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14480ea8-edcd-40aa-9615-53ea1de628ac
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909165
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 541639 Sample: Dhl notification.exe Startdate: 17/12/2021 Architecture: WINDOWS Score: 100 43 www.dolledbydior.com 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 12 other signatures 2->51 11 Dhl notification.exe 7 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\WolvdGXFe.exe, PE32 11->37 dropped 39 C:\Users\user\AppData\Local\...\tmp2A52.tmp, XML 11->39 dropped 41 C:\Users\user\...\Dhl notification.exe.log, ASCII 11->41 dropped 53 Writes to foreign memory regions 11->53 55 Adds a directory exclusion to Windows Defender 11->55 57 Injects a PE file into a foreign processes 11->57 15 RegSvcs.exe 11->15         started        18 powershell.exe 25 11->18         started        20 schtasks.exe 1 11->20         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 2 other signatures 15->71 22 explorer.exe 15->22 injected 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        process9 process10 28 cmmon32.exe 22->28         started        signatures11 59 Modifies the context of a thread in another process (thread injection) 28->59 61 Maps a DLL or memory area into another process 28->61 63 Tries to detect virtualization through RDTSC time measurements 28->63 31 cmd.exe 1 28->31         started        33 explorer.exe 1 150 28->33         started        process12 process13 35 conhost.exe 31->35         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ccc5b256bd8bd09fb241407caee97afda894f2a884b533f3634324e7b87da47e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-17 04:39:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
72
AV detection:
22 of 43 (51.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztc3evv5rpij7msbib6k52l27wujj4viqs2th43dimsopod5ur7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
24a67748af038fb71279d9494318557036d86026598cdaa8822229221b5eac85
Formbook
2f07775ab256b6bd7dc726fdf62f96728f1b1c2f4b9696f633c81c3f4540f30d
Formbook
2f6e89afd122fb052c5ad063bfe784b854157f9ff99af0a8aae4b7d19641ff61
Formbook
5c32323d52315250c99fb3b2fbbb17bd1baea04fca35714d8eb17fcc48a6ee43
Formbook
8a13ce3da212f3557c8d3f43a375fa6e030b400c2da2ca9701bed88f839863fc
Formbook
99e25501d1c736865e766fe4e347cda8817f4005be1d7b0c336451b89be71ed2
Formbook
9c87ae78442d9bc2148c24b455e344deda13c70feacd75c4796ab9c91b18015f
Formbook
dad44254738682bad3b4582fa66217c68abcc3a8512a825c2f1836e5bbd94c3c
Formbook
ff49729f166632886284a0ef9e5e084151096acc1aa7e43c353e922e2fbb1086
Formbook
+ 10'686 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a94o rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211217-srw5gseefl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
729bff72d7df86950c9a03b9d5814267b5f738df9aafd27b8d25603f2a910f33
MD5 hash:
ee24f75a5a8b88bf33a08abed0b62442
SHA1 hash:
98e44fcb0767dd065d3d6e9185330243dbc1dd69
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bd6195cb-0ec1-41b1-99ac-4fd29d7a1fe8/
Parent samples :
166eaef2a1db9235f1cfa04186b1586ddb1f81466d4a47d4a835d6fbecdaafca
ff49729f166632886284a0ef9e5e084151096acc1aa7e43c353e922e2fbb1086
ccc5b256bd8bd09fb241407caee97afda894f2a884b533f3634324e7b87da47e
8e4da8766eb5ea763138244606bbdbafd4297a332988868411194d067724e24f
34f46dda75810eb7a5f92544fdbecf589cc3633a7ef163b54f338477598af7f1
SH256 hash:
fcc1cc71228d2ac687e9c4157c941b178b8cd9e17b147119114799c96e339e00
MD5 hash:
f5b471c3053479ab46abf69eebc027f9
SHA1 hash:
74106e3dc7451a66ee296190b47c16b903560b93
Link:
https://www.unpac.me/results/bd6195cb-0ec1-41b1-99ac-4fd29d7a1fe8/
SH256 hash:
9f5763966bacdc6de3944a6e06a49b05869c38f2e98b32cb93b483a480a6ffff
MD5 hash:
3418c620c4b9dd4533a88f1ba5ec3ff1
SHA1 hash:
12f6aaf1c90030c4063d42a27b2e7000a08b6e74
Link:
https://www.unpac.me/results/bd6195cb-0ec1-41b1-99ac-4fd29d7a1fe8/
SH256 hash:
ccc5b256bd8bd09fb241407caee97afda894f2a884b533f3634324e7b87da47e
MD5 hash:
1f39178c29ff3aa896ed3727c3d2b64a
SHA1 hash:
5e4b578b12ad2e64dcd70217d5cae9cf5a215bf1
Link:
https://www.unpac.me/results/bd6195cb-0ec1-41b1-99ac-4fd29d7a1fe8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccc5b256bd8bd09fb241407caee97afda894f2a884b533f3634324e7b87da47e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/214833/

Comments