MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d16d34e4b1d1ef563842f3a0e691642da9f814bf240827e704caa57dc3106db0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	d16d34e4b1d1ef563842f3a0e691642da9f814bf240827e704caa57dc3106db0
SHA3-384 hash:	413b7b946e94f36a464e39ab10ec69a6e8d1e6537a45dee8ed9a1d09fcc0c5ab35d40241b56d8a974822c8fa5fbd0673
SHA1 hash:	ab5de0026cb731e285d937a70bb1b16f5a2bb811
MD5 hash:	ef21d03f6847389f89c057fd2dee4ba0
humanhash:	quebec-blossom-black-blue
File name:	DHL_APC2_240708172813545.pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	719'872 bytes
First seen:	2024-07-14 08:09:22 UTC
Last seen:	2024-07-24 21:41:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:PdRLYVK+orvCrf9Sq/a4HUAiQ3qN0rPtD/0xCRFXcdjoKNl9NVPmHFmpfaO:PLL1+dsLjAM2WxCRFcp79N8spfD
TLSH	T162E4E06872ED1F42D4B94BF51A75890067B3781A6A71E30D4EEC20DF1B73F109A62B63
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

521

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d16d34e4b1d1ef563842f3a0e691642da9f814bf240827e704caa57dc3106db0.exe

Verdict:

No threats detected

Analysis date:

2024-07-14 08:17:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3ee11c3a-b68c-406f-84cb-729bb7dc21fd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.103.13048.UNOFFICIAL

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=669387ddbcca3f923eb46861win7simulatehigh_evasion

Tags:

Generic Static Stealth Swotter

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/669387ddf739ad163685f4a7/reports/c4be4696-23d1-4e41-a69d-908b358128b8/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/d16d34e4b1d1ef563842f3a0e691642da9f814bf240827e704caa57dc3106db0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/74d659f3-994e-49b8-b852-279a19585241

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1472845

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d16d34e4b1d1ef563842f3a0e691642da9f814bf240827e704caa57dc3106db0

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/d16d34e4b1d1ef563842f3a0e691642da9f814bf240827e704caa57dc3106db0/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2024-07-12 13:07:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2fwtjzfr2hxvmocc6oqonelefwu7qff7eqecpzyezksx3qyqnwya._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:rn94 rat spyware stealer trojan

Link:

https://tria.ge/reports/240714-j2p99avfkc/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bd4b4a28-825d-495b-9968-fe4c9ec1dcf5

Unpacked files

SH256 hash:

e43c25ff7178824b172aa9de2e985b0ccb53562e97da4dc7f34ea0c5515ebf00

MD5 hash:

489d620aedc30017f7636236be8f7741

SHA1 hash:

535bac391ea7b051a50897de5faad5ca9b9d44af

Detections:

FormBook

win_formbook_g0

win_formbook_auto

win_formbook_w0

Formbook

Link:

https://www.unpac.me/results/bcc41c0b-29c5-4b27-96ab-7d6fc37ee9b5/

Parent samples :

8eade02ff3abef532d9070a1e3ea6f8df6c213748bce1c0f55b75686706a53c4
8973790929fbbd34ff29fb50b887dec10d68f8fcefc5050d6ec78dc88a64b5ee
e9c2049ebaa1664254905bf3d5ba58d7d5b09bf3a261c157f47acb0a44d9c4bb
7565e6753a23fa9393cd3a32b1f65153658a48d8a289a2571fd9285f6628ac65
d16d34e4b1d1ef563842f3a0e691642da9f814bf240827e704caa57dc3106db0
05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1
81e716048fef66f3f6ccdebc7df3867ebb4ab9cda48578702345203ba2a6d74d
ba6b404291eeee5e3a7f92f8debfd1af684035664d95fcfdb7ea8fef1b2da40e
85e52db537a5859de92b51ddb3363b89058fb9fbf514e265df4092c0d5102dc2
e171a6d388f4cd1e2051d0f29b720c84a52876a3208af1824e9b634c2117b4ee
ee118f8e57acfa0e476638a011ed8d6664d1499e1b326180e21e6f9834ea93e0
e0374712b7f2b3605536f4b48018ed3bf0b54c04d9758988b261aad23a755a44
53daafedffd7fad6a7ab9b6ac1e8e5d4994dfc68cd119178ef37d0aefb2a643f
2817a9a6fc061c9f8e6e7c341b778b403ceaeb439cb8e40760c908ada5c323cd

SH256 hash:

40f2da995ff5d77138f3bc2e38e0c8fc67fcfac1e494b4ada809f912c662b7cf

MD5 hash:

e71cfed11fa32ec05583b780702254b9

SHA1 hash:

c1db480998c3a34cb071b5eb6f6d73253b741ed9

Link:

https://www.unpac.me/results/bcc41c0b-29c5-4b27-96ab-7d6fc37ee9b5/

SH256 hash:

78301e5eed8234a92c7193cc61049d929223c2edf6980b7e95f8b83e17f3a5b0

MD5 hash:

d36229e05b2cb13bbbe09499b1ac0eaa

SHA1 hash:

974b192b3f9ac5ec8b6cd0d3d4bddea2c13a7fe8

Link:

https://www.unpac.me/results/bcc41c0b-29c5-4b27-96ab-7d6fc37ee9b5/

SH256 hash:

81caedd592704a07c255bc60495c3eab6c5a235af05e13e04a8bee3f0c65af40

MD5 hash:

d37f0cbc031ecaadd7fc97c9169e04e1

SHA1 hash:

32f7fe6ddbab26aacde711e31af8c8921f35584c

Link:

https://www.unpac.me/results/bcc41c0b-29c5-4b27-96ab-7d6fc37ee9b5/

SH256 hash:

d16d34e4b1d1ef563842f3a0e691642da9f814bf240827e704caa57dc3106db0

MD5 hash:

ef21d03f6847389f89c057fd2dee4ba0

SHA1 hash:

ab5de0026cb731e285d937a70bb1b16f5a2bb811

Link:

https://www.unpac.me/results/bcc41c0b-29c5-4b27-96ab-7d6fc37ee9b5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d16d34e4b1d1ef563842f3a0e691642da9f814bf240827e704caa57dc3106db0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample