MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce1ed6c75e5261ea509a09cf2cbb4eca2a28f9ac4bd40d0ede711608233546da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce1ed6c75e5261ea509a09cf2cbb4eca2a28f9ac4bd40d0ede711608233546da
SHA3-384 hash: f603cae2b83c10ea863b3f5ad0298c51859d4f6d1b3fae9a0378616794a9fdcef3e4dc301774324dbf9801b571e23bea
SHA1 hash: 1a10c84b47a80b111e9f0d446b3945c9e10d3eb3
MD5 hash: e5a202adbb07b34e36fca0c4bf5da156
humanhash: fish-carbon-snake-eight
File name:DHL SHIPMENT DOC BL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:268'075 bytes
First seen:2023-07-26 09:59:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:/Ya6bSv/MafR6CI9+YuYQBnsa0EAz0i1e+y:/YpSvEg6V9ilZlAzq
Threatray 3'383 similar samples on MalwareBazaar
TLSH T15A441218A7E1C8B7F4F3177009B507295FB6E13222709A9B0780BE9C7972296F50E736
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL SHIPMENT DOC BL.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-26 09:59:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/398378de-8ae6-4546-88cd-07441dca5052

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/433506/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ce1ed6c75e5261ea509a09cf2cbb4eca2a28f9ac4bd40d0ede711608233546da
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2eae1fd-1642-4748-8cfd-4e43691a4d65
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1280486
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1280486 Sample: DHL_SHIPMENT_DOC_BL.exe Startdate: 26/07/2023 Architecture: WINDOWS Score: 100 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 Antivirus detection for dropped file 2->63 65 6 other signatures 2->65 9 DHL_SHIPMENT_DOC_BL.exe 1 20 2->9         started        process3 file4 41 C:\Users\user\AppData\Roaming\...\hqmvfaj.exe, PE32 9->41 dropped 43 C:\Users\user\AppData\Local\...\mypze.dll, PE32 9->43 dropped 79 Detected unpacking (changes PE section rights) 9->79 81 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 9->81 83 Maps a DLL or memory area into another process 9->83 13 DHL_SHIPMENT_DOC_BL.exe 9->13         started        signatures5 process6 signatures7 85 Maps a DLL or memory area into another process 13->85 87 Sample uses process hollowing technique 13->87 89 Queues an APC in another process (thread injection) 13->89 16 hqmvfaj.exe 18 13->16         started        20 hqmvfaj.exe 18 13->20         started        process8 file9 37 C:\Users\user\AppData\Local\...\mypze.dll, PE32 16->37 dropped 51 Maps a DLL or memory area into another process 16->51 22 systray.exe 13 16->22         started        25 audiodg.exe 16->25         started        27 svchost.exe 16->27         started        31 2 other processes 16->31 39 C:\Users\user\AppData\Local\...\mypze.dll, PE32 20->39 dropped 53 Multi AV Scanner detection for dropped file 20->53 55 Detected unpacking (changes PE section rights) 20->55 57 Machine Learning detection for dropped file 20->57 29 hqmvfaj.exe 20->29         started        signatures10 process11 signatures12 69 Tries to steal Mail credentials (via file / registry access) 22->69 71 Tries to harvest and steal browser information (history, passwords, etc) 22->71 73 Modifies the context of a thread in another process (thread injection) 22->73 33 explorer.exe 1 22->33 injected 75 Maps a DLL or memory area into another process 29->75 77 Sample uses process hollowing technique 29->77 process13 dnsIp14 45 acdaiucdac.com 165.140.70.70, 49697, 80 WISCNET1-ASUS Reserved 33->45 47 www.gearshungry.com 45.33.2.79, 49702, 49703, 80 LINODE-APLinodeLLCUS United States 33->47 49 4 other IPs or domains 33->49 67 System process connects to network (likely due to code injection or exploit) 33->67 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce1ed6c75e5261ea509a09cf2cbb4eca2a28f9ac4bd40d0ede711608233546da/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 10:00:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zypnnr26kjq6uue2bhhszo2ozivcr6nmjpka2dw6oelaqizvi3na._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00042ff7bcfa012a19f451cb23ab9bd2952d0324c76e034e7c0da8f8fc5698f8
Formbook
210d5b19dfc3dff919ba6ed4d76d2aa8becc988dabcca66b247d05c51811434b
Formbook
221f3d1fe2ec39b9854c584a51fa3cd49f23995f8ae99c8c7d8e2efa85bb38b0
Formbook
4f46b17d1db8bdb30b33dfa8ed5335149bb4f920780e349b6b02155e337c8b57
Formbook
53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81
Formbook
69158a09d4c8167f9e137da4fca102ffdeb9f5478d46446a34dd3bbe1ccfa1f6
Formbook
ab81345f141fa4d777d142a4f8367c53e9840897bc2b4c3299a4f6696a46296d
Formbook
ce95bf97082a2895a94b3ddd23d9906f4101bc7cbedb4bcf3d0dab94e834aaab
Formbook
d8697afa1e5b0bf3373fdbee50483e6e5f590aa8b5cc0df094870ed07530834c
Formbook
ec9d091c881ad4da6f5e77f947c2723b1aa374fbf373931871c767dfb9cabb0e
Formbook
+ 3'373 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230726-l1mtvabc8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
8ac73ddd6e5eaddb2c6e5b1c184f29f970e92f1efaab40542fb9d599fc0225c2
MD5 hash:
548cbe355428d68386eae8856f83962f
SHA1 hash:
7efb15b9b3f7390f1c0ddb21291ece1f41d0ecc2
Link:
https://www.unpac.me/results/c8217d42-b10d-4156-a6f4-33ca8d8ec8b6/
SH256 hash:
6a64354b7f974e3f533ed5a33371d748f0afc8bf06a16d8d21d66f38be9f1ee3
MD5 hash:
eff8d0a2bbe635f991e4757f0bb40bc4
SHA1 hash:
0618bd4631530143718eed4b472858a1de857def
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c8217d42-b10d-4156-a6f4-33ca8d8ec8b6/
SH256 hash:
98535ae49de960e7b2f8ac6278178589ca95aefb441525b7efc22223c6f4ee77
MD5 hash:
17e35086ac464ee7f3d999e230201cf2
SHA1 hash:
f28276e5769825a08f1841a25f858117797a3027
Link:
https://www.unpac.me/results/c8217d42-b10d-4156-a6f4-33ca8d8ec8b6/
SH256 hash:
ce1ed6c75e5261ea509a09cf2cbb4eca2a28f9ac4bd40d0ede711608233546da
MD5 hash:
e5a202adbb07b34e36fca0c4bf5da156
SHA1 hash:
1a10c84b47a80b111e9f0d446b3945c9e10d3eb3
Link:
https://www.unpac.me/results/c8217d42-b10d-4156-a6f4-33ca8d8ec8b6/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce1ed6c75e52/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce1ed6c75e5261ea509a09cf2cbb4eca2a28f9ac4bd40d0ede711608233546da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ce1ed6c75e5261ea509a09cf2cbb4eca2a28f9ac4bd40d0ede711608233546da

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/433506/

Comments