MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d638e7ea6048de830f145ff0e37950b009c10da0b49be87a145a9418541a0cdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	d638e7ea6048de830f145ff0e37950b009c10da0b49be87a145a9418541a0cdd
SHA3-384 hash:	1db8383ebe44b0445828f9c7bc27f99aa919ab32c4c9cbd25700ec7e7e00967f80ee77e7876057e0abe8ec727e0c206c
SHA1 hash:	214414bfab84865ce5d2c2d353b8dfe8e06cfdfc
MD5 hash:	61d279d26034207f8a9f541056c0901f
humanhash:	music-solar-table-high
File name:	DHL Consignment_pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'305'088 bytes
First seen:	2022-11-08 15:36:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'467 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	24576:8sE1XkMdsLrBJL0sSdwMltzQEhvVUObS:bERkbLdJLOJLzhvVRb
Threatray	17'429 similar samples on MalwareBazaar
TLSH	T1DE55CF5022E8DBDAE07653FA5C2075A0177E3E66682DDE280D9179DE0A33B410E36F5F
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	62ccaca6b2968eaa (2 x Formbook)
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

DHL Consignment_pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-11-08 15:48:03 UTC

Tags:

formbook

Link:

https://app.any.run/tasks/9d092dea-a3a0-4c10-b580-600825ff44e1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/330665/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/636a77a45a33779d69cea5f4/reports/f6506850-db34-4147-ac7b-fba256db12fa/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3430682f-e6d4-48d0-9d1f-80145b337924

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1108372

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Deletes itself after installation

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d638e7ea6048de830f145ff0e37950b009c10da0b49be87a145a9418541a0cdd/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2022-11-08 09:28:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2y4op2tajdpigdyul7yog6kqwae4cdnawsn6q6qulkkbqva2btoq._file

Verdict:

malicious

Label(s):

formbook

Formbook

7b00599838c328e0b0f684cf8afb33a2e60be3a7e470151541e5ca9cce64d2ee

Formbook

8a44adde0f3cad02f2cfd6f4694a8e4455acd991bbe25520cf6bafe0839ed09c

Formbook

8a93dabd3dda5548c792f3064979a25a5770e5870a8d9989a0b16b5f2cc56204

Formbook

9de05e3460e7b565c614eddca75b9b08b697f9b21c3b4da6fd88e8d7b2d11a90

Formbook

c57a9475d4b8d7811ab189f35fed2acf525f175a77d59a791157d9d52c47b4aa

Formbook

e6d6f7cf5ab4892455617b818579f8123d6f32eb13adb93c4feca7c6caa352ff

Formbook

ec81ecfe0f57e6ce43b9c5b605deead6f3d3c6f72a94e2d2bc14d6b0bda004c5

Formbook

ed575e87b8ddb54cdd3f247dc89ac394081bbd503cbd6b29d1a4592d60aa07a6

Formbook

+ 17'419 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:figc persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/221108-s2ggsaebd3/

Behaviour

Checks SCSI registry key(s)

Enumerates system info in registry

Gathers network information

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Enumerates connected drives

Checks computer location settings

Modifies Installed Components in the registry

Formbook

Unpacked files

SH256 hash:

4787ef359149bda71ae543fdf3fb1a3aa4e3470cd2838eccbe187cf98695f76c

MD5 hash:

d26be60e8ec2b6384883e075766478fb

SHA1 hash:

b129a5625d7485805f95c4c3a9b539c147a02c91

Detections:

XLoader

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/f2e0b5cf-fa48-4267-9b57-ccc4e1989267/

Parent samples :

158529ef601d8cb75e4496d83ccce43fcbe024a133755825b766e8199bbc32f9
6b2b1122272218d87c937c4ea18da8aece008216f555592dc80282485a3c0a9b
b5fa7ba66a41d5339de778bf63595ef7799846099943d6c82c30df1d3d867f29
f953039aa4eb98f95a4c4f4b14ef6aa464125a2d46bafaae54c58c8d4ff71761
0da49f1594366db1179e9ea93909edb301b41241513a63e5ff7ea57643254b9c
67d5928c7f82bb8b15327d64edff03056f33b577d8323d6b4bd6ae9112336ba8
e2361815d639c14a638cb591a82c340f42af6a1c9c15bb3bec0b98080c2a92ed
d638e7ea6048de830f145ff0e37950b009c10da0b49be87a145a9418541a0cdd
7b710e9885b0024fdffd6017a32111af82094c23f2bb8a41ece3d29ae1a9718c
2eeea519e17a33aeece43a9157b2e2caede5b6b34a9afa424d324030cbac48aa

SH256 hash:

3992074002d2945481134093ddaf2c5963c956578e8f0cfbdff304f626ee2fa8

MD5 hash:

2db01cfe744d42c83edbdde50d3995b2

SHA1 hash:

69c41c574b67cec2af01c33751a2c377c1396313

Link:

https://www.unpac.me/results/f2e0b5cf-fa48-4267-9b57-ccc4e1989267/

SH256 hash:

a594263421de614ef35d7fcf74159a69f82be5258be21e1268930d5c6333ea75

MD5 hash:

536085d9ae8a6428da6a82af2c14d4d5

SHA1 hash:

f6f4be85963d834f03dc83d8dcfd151309a4b5e0

Link:

https://www.unpac.me/results/f2e0b5cf-fa48-4267-9b57-ccc4e1989267/

SH256 hash:

24d68d795c29db37521a59ed8fc816c4656a29839dff33d442e0624ed08f285d

MD5 hash:

016784ecf4a450aef513921a0a248dcf

SHA1 hash:

b3ebdf8f58270e1ce6a562b7c9c2a5f5961e7766

Link:

https://www.unpac.me/results/f2e0b5cf-fa48-4267-9b57-ccc4e1989267/

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/f2e0b5cf-fa48-4267-9b57-ccc4e1989267/

SH256 hash:

92bd802a0f7eb1213758a6c1a4c07302e0320c3a2aeb6273b0303dd3bbdefe90

MD5 hash:

046e97119545e5abde2f40b5dc3a0344

SHA1 hash:

3e69b67ddff2554c8cd72e129d4da9c8acd9d331

Link:

https://www.unpac.me/results/f2e0b5cf-fa48-4267-9b57-ccc4e1989267/

SH256 hash:

d638e7ea6048de830f145ff0e37950b009c10da0b49be87a145a9418541a0cdd

MD5 hash:

61d279d26034207f8a9f541056c0901f

SHA1 hash:

214414bfab84865ce5d2c2d353b8dfe8e06cfdfc

Link:

https://www.unpac.me/results/f2e0b5cf-fa48-4267-9b57-ccc4e1989267/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/330665/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample