MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d44232f2022c8c9e948b4fc026cc391959c2e662a152b77e95dede5989320c27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d44232f2022c8c9e948b4fc026cc391959c2e662a152b77e95dede5989320c27
SHA3-384 hash: f018dd96fd4ef774a6ec7f39b1fa222ace2bf87aba5a6632a396a09f40ee701b3f1386b2222012b7504437b5b0ee9592
SHA1 hash: b0bd503740e4357886a4bef065ece2da1e06bb19
MD5 hash: e144f44d324b0754f2f524fe6f3e3bf8
humanhash: jig-harry-charlie-helium
File name:DHL DOCUMENT SHIPPING.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:403'688 bytes
First seen:2023-09-07 06:44:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 12288:JY1g4+L/L3O72gj558ygOY+e877tC/ssZDBqDqO:JY1gt71Q5RVe6tTsZDBqDqO
Threatray 97 similar samples on MalwareBazaar
TLSH T11A8412D1A1A0C8E3C4922772C8B685F93A61EE37DEF8911F1398FF297972153491E316
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 004569554d695500 (1 x Formbook)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL DOCUMENT SHIPPING.exe
Verdict:
Malicious activity
Analysis date:
2023-09-07 06:45:28 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/2d7725e1-5abf-40a0-99a3-9f1c446a40a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446864/
Detection(s):
SecuriteInfo.com.FileRepMalware.8544.13231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64f97170b7dd6394f712540c/reports/29e48a30-66fa-43e6-9481-3984e0f62558/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d44232f2022c8c9e948b4fc026cc391959c2e662a152b77e95dede5989320c27
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b1bbedd-5ec4-4589-97c1-eff9b7bc877f
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1304974
Signature
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1304974 Sample: DHL_DOCUMENT_SHIPPING.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected NSISDropper 2->46 48 5 other signatures 2->48 10 DHL_DOCUMENT_SHIPPING.exe 18 2->10         started        process3 file4 30 C:\Users\user\AppData\Local\Temp\lirfhv.exe, PE32 10->30 dropped 13 lirfhv.exe 10->13         started        process5 signatures6 62 Multi AV Scanner detection for dropped file 13->62 64 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->64 66 Maps a DLL or memory area into another process 13->66 16 lirfhv.exe 13->16         started        process7 signatures8 38 Maps a DLL or memory area into another process 16->38 40 Queues an APC in another process (thread injection) 16->40 19 NnGMNIvERYETkoWQaXspneQPb.exe 16->19 injected process9 process10 21 ipconfig.exe 13 19->21         started        signatures11 50 Tries to steal Mail credentials (via file / registry access) 21->50 52 Tries to harvest and steal browser information (history, passwords, etc) 21->52 54 Modifies the context of a thread in another process (thread injection) 21->54 56 Maps a DLL or memory area into another process 21->56 24 explorer.exe 1 21->24 injected 28 NnGMNIvERYETkoWQaXspneQPb.exe 21->28 injected process12 dnsIp13 32 www.paybillnow.info 162.0.225.178, 49779, 49780, 49781 NAMECHEAP-NETUS Canada 24->32 34 gicmeerut.com 103.13.97.220, 49773, 80 CTRLS-AS-INCtrlSDatacentersLtdIN India 24->34 36 4 other IPs or domains 24->36 58 System process connects to network (likely due to code injection or exploit) 24->58 60 Performs DNS queries to domains with low reputation 24->60 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d44232f2022c8c9e948b4fc026cc391959c2e662a152b77e95dede5989320c27/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-09-07 02:59:01 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2rbdf4qcfsgj5felj7acntbzdfm4fztcufjlo7uv33pftcjsbqtq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cc4308eaf906783b45db5c75d2bf7e5a0b74d9d531dcce595604c1f436d4fb4
Formbook
4a63fd45dcc97cf19892173f6101ff932109f8e3c382db28ea077c63a65f203d
Formbook
5aff1db8f4c749933cd8869e1e80f000e4c27de7c0c7a7d1aa59c4f324522210
Formbook
69390302e6a82cad49f3eabbba2f274a63202c9df899709de1d78d7f8a9a9584
Formbook
a3ac1a13b363264a45374dbc9a485e19f80d71cefa4f3cb72a902d46c667330a
Formbook
de626ef467f34c5443918399208e46e271a40e010e23622eb53ef37d147e746f
Formbook
+ 87 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230907-hh292afb76/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
494bbc401321b2209a8382da3b8efb1fc56b8fa76f9f939c77a9045ba3ff414a
MD5 hash:
4489e9c5c2481a551a68ca6da61cfdf0
SHA1 hash:
9d11875d740ddf0fe3d03ef2f75b7402f9689f82
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a65096f2-1e27-422d-a79d-59d6507b342e/
SH256 hash:
2e8588e5262e6102bfc8a87de491c57545432fb80823263db8c96b8288d792a6
MD5 hash:
a1b59932e7a91da45f1e45874637d2fb
SHA1 hash:
0fea620a89bde74c5b70c7c41eb70cc8766eaf88
Link:
https://www.unpac.me/results/a65096f2-1e27-422d-a79d-59d6507b342e/
SH256 hash:
b665cde6dd16866559d1c96ffdee75219e7a8b8c56a0cd950d91ff8aed7642ec
MD5 hash:
fbde34cdb4c01471d1d5361ad1b3244d
SHA1 hash:
542971044fcff542bbd3d2d4e6f5dccce53986b2
Link:
https://www.unpac.me/results/a65096f2-1e27-422d-a79d-59d6507b342e/
SH256 hash:
d44232f2022c8c9e948b4fc026cc391959c2e662a152b77e95dede5989320c27
MD5 hash:
e144f44d324b0754f2f524fe6f3e3bf8
SHA1 hash:
b0bd503740e4357886a4bef065ece2da1e06bb19
Link:
https://www.unpac.me/results/a65096f2-1e27-422d-a79d-59d6507b342e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d44232f2022c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d44232f2022c8c9e948b4fc026cc391959c2e662a152b77e95dede5989320c27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d44232f2022c8c9e948b4fc026cc391959c2e662a152b77e95dede5989320c27

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/446864/

Comments