MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4a853b38027915f1ea1daa506995a272250a5d56573d196ce52060a763e6b64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4a853b38027915f1ea1daa506995a272250a5d56573d196ce52060a763e6b64
SHA3-384 hash: d64eaf1f51b02a3603d967673507ae53ae256d0299783b16629a0725783ae5e9dccc6eb160e58f2e5f1572c4389440fd
SHA1 hash: aa1f0f9366265add649cab3309774d0d025cd349
MD5 hash: e7669667656639d382349202409009b5
humanhash: william-carpet-georgia-sweet
File name:DHL_AWB_NO_#907853880911.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:797'184 bytes
First seen:2022-08-02 17:55:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:F5/g6SKlpxS1cy6SdQUtlrZ2WLDQbH+Ph38e5eaiIh6eLxk/L69yn7cOERgC:FHLlpxS1KS2UPrZM+P7516eLxk/QyA/
TLSH T19205013363DE8B03C1358E3EE4560AD2437AE07F6251E356BDB93ABB60D735941A0B46
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0f0e8d8d4e4f4f0 (16 x Formbook, 11 x SnakeKeylogger, 8 x AgentTesla)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL_AWB_NO_#907853880911.exe
Verdict:
Malicious activity
Analysis date:
2022-08-03 06:10:10 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/8b917f32-d584-434d-9e0d-180375e86ab1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295977/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1452.26808.22418.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e96588bcf76fcb6cdd2768/reports/7e49657e-7d60-4b5b-a7b8-c4365715cb59/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/292d53ec-4862-486e-b5fd-f9e1e5e89cda
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045094
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 677590 Sample: DHL_AWB_NO_#907853880911.exe Startdate: 02/08/2022 Architecture: WINDOWS Score: 100 31 www.titantechmail.com 2->31 33 www.joselynbaezs.com 2->33 35 5 other IPs or domains 2->35 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 11 DHL_AWB_NO_#907853880911.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\...\DHL_AWB_NO_#907853880911.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 DHL_AWB_NO_#907853880911.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.mafleursam.com 217.160.0.125, 49775, 80 ONEANDONE-ASBrauerstrasse48DE Germany 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 control.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d4a853b38027915f1ea1daa506995a272250a5d56573d196ce52060a763e6b64/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-02 17:56:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2sufhm4ae6iv6hvb3ksqngk2e4rfbjovmvz5dfwokidau5r6nnsa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s0s2 rat spyware stealer trojan
Link:
https://tria.ge/reports/220802-whz2kaaghq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
94eb1311e64ddd1441f1820049ce85e110592d08098bd0547324dc965fc52c23
MD5 hash:
a12c44df2adb4e318737cd1ce913d42b
SHA1 hash:
3956b1f7367d3136bae5d96b7814f5e131066c69
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Link:
https://www.unpac.me/results/0077917a-1368-4043-8220-129ec73741c5/
Parent samples :
2a9402ebd373051db7907618bccb58b922cdddb871a68987fb1f694527c8dc2b
5c1ea24ac3aab840b98016e4caeb82f55aed493aa3b412cb80c9fb6d6f79d9ad
cad3c55468a545fa192d342b696c573a3d19c36673fd7524e982069fe3bb6109
27d5408961dba9baf42c42b2574c863ccf523ee98fb0648559b733dd52fb37dc
e92fcd822de39355e0d89c4dc59336d4331e3d9b70a6ab54215b8ba637b53af7
cc48a92eedc0b016d5faad9bef8ea4d9831328650cc6f51064c569955b5c2382
d061f19eed59dc92d6ec275adb6b2e0c679bb637518a396384a47d3e184f7c6a
b062a9d743bcc3af9728b50385318d53924a65ad2defffae0ff625b6300280d1
981a126a3d6e3825ba435c9487988fd7a17fec0b7f2528a7229f2ae3a1798800
7d9650c0643e34d7b2485adaba2e2e2171e769d99e61839bda67e38cb595c312
5cbfa0d520be3a7147b437f0b02a3328a569110104a5ea37dcee8c0b8e464737
21f2e5161deb44fb1a6d6c1e043f835893333f90e029bbab3122bd1cc15957a7
8bb6042a5324981df5fc9259ab15da7c6badfb20be1d99cfe987634d9e37ea83
947f2382fc8bc6976d1fd37ac489d9ea783f0a1becfe36d44943596f1178deef
83a39de3decd05ed18f53402e780bb5fbb1d6cd90d916f3821ba338c9cd579d8
8b6765f7849153e97570cb7e438f1ec7934d49de37aaad4132e7f1f45be5fbc7
329b572ec9a7899496a335c8b6fa8a3a697c07cfc1161ca734ef379a33a27c48
a83621a531d4c85f70448ed30a4fca11be7154b28efa5c9853bb34766ac528e9
8cfab7564a09852f6ac15b97c02e63ea07b6099f6d38d39c05b06c8e097e6d31
eded2b81ae40fd2694db87102fbf5d69269de019853bd8062af52a1ac20d6d23
528eeb06e53ab90b33bb403f8b5b89c614c1ceeccbcb18429457dd69821d52cb
d4a853b38027915f1ea1daa506995a272250a5d56573d196ce52060a763e6b64
ef776f82fa51452cb7b8c4b4e8ba7b66481f7fd6f5d36056081ebd1c3326cc68
fe08d4765f0542daa638810065f54c1350df10aff72215191b66df811ab03e5e
fab49681b75999edcaa791c702fc8dabc22071fbc87013846ea9f9b009af4865
3b520fa20ca7de3ec42ddff17915a68c486136893a619d0abf8b6a2902a211e9
64c512b6660421797a005272a4b5e65981657619d28f0d8b27b399d58cd111e5
c8483d4d8ae1ce3227dbc11e8cfaffa8559cce0ea5189adca701c01b0e439cb9
e161e6e99cf402f075203ab98962e6c3f043f49f3a342c443f8480ae05898663
e5699b27604861d602353161493e6f3af720a33440d251d18b6e0f1322e88693
ec0ce1b19008446f177ac30c5bbcf55c714b1f43c7fe473068f562e8428aefc7
SH256 hash:
00ec6fabd6247cef694ca1c9f9a7ebf2aa8e6d7681603a22247df8981a27f284
MD5 hash:
68e6e9143e214dedb13a2c23b71df16e
SHA1 hash:
51f520456c16a75a7c05dff73f5d14674071e1cb
Link:
https://www.unpac.me/results/0077917a-1368-4043-8220-129ec73741c5/
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/0077917a-1368-4043-8220-129ec73741c5/
SH256 hash:
97408f5ed5c8c930380b004ebca63a7eb29c2086512d42489ee9caa2cedb88b7
MD5 hash:
6c050f828bbf22560edfdb8ba88dc4ee
SHA1 hash:
80984127f045206e5953d1c5b109364b7d86c62a
Link:
https://www.unpac.me/results/0077917a-1368-4043-8220-129ec73741c5/
SH256 hash:
a9c5b2c628a47247402ff05d399855caf6f6a22146d44cd0fd9d7fc05a65ba66
MD5 hash:
228ff1006be83039e4de2b5e0475a5b0
SHA1 hash:
3adef5cc343067fa6b9d5e712114dc619c867a72
Link:
https://www.unpac.me/results/0077917a-1368-4043-8220-129ec73741c5/
SH256 hash:
d4a853b38027915f1ea1daa506995a272250a5d56573d196ce52060a763e6b64
MD5 hash:
e7669667656639d382349202409009b5
SHA1 hash:
aa1f0f9366265add649cab3309774d0d025cd349
Link:
https://www.unpac.me/results/0077917a-1368-4043-8220-129ec73741c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/d4a853b38027915f1ea1daa506995a272250a5d56573d196ce52060a763e6b64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/295977/

Comments