MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d80690916721f1f23e0c913d3f6c71428464e8141a49763c75e450ef21d984e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	d80690916721f1f23e0c913d3f6c71428464e8141a49763c75e450ef21d984e8
SHA3-384 hash:	25c73ebf343d2f005b8c61677a8ace117e9c152107140aa4467305f0c88d8700808121a7fccf35eec0d677c75caec2a0
SHA1 hash:	6f9c219a08aca7c57f6add9d8a730be6178713c6
MD5 hash:	bba45c96ad4627c4c0b1f25fb7a23c7a
humanhash:	nevada-zebra-angel-robert
File name:	DHL Express.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	254'519 bytes
First seen:	2022-01-27 13:10:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	6144:owXEeJcPaaAr6Ih3IN3i0JojhE6/zN6287FPT6oFx8qu:7EeyCft0Oji6LN62sHFx83
TLSH	T142441295E4C5E59ED4960933022FDB2BDAFAB701313223571B210FDA3A522D72F0E19B
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

198

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL Express.exe

Verdict:

Malicious activity

Analysis date:

2022-01-27 23:08:36 UTC

Tags:

installer trojan formbook stealer

Link:

https://app.any.run/tasks/b570fbeb-30b0-4804-99ef-00a6f8e9cace

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/224319/

Detection(s):

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Сreating synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61f299f3c4bcf3287a612d1a/reports/e67fce36-d10b-4a1e-9aed-896614e893f4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7bdf5857-9220-4359-9415-8e150f94c2bc

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/928975

Behaviour

Behavior Graph:

n/a

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/d80690916721f1f23e0c913d3f6c71428464e8141a49763c75e450ef21d984e8/

Threat name:

Win32.Trojan.SpyNoon

Status:

Malicious

First seen:

2022-01-27 13:11:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3adjbelhehy7epqmse6t63drikcgj2audjexmpdv4rio6iozqtua._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:3a4h loader rat suricata

Link:

https://tria.ge/reports/220127-qeyfnsdbhj/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Deletes itself

Loads dropped DLL

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

f9721fe7a6b36d892de9160791833060e58c964b3de35968f79902d70c1254de

MD5 hash:

c818723efb833b6e9fc4df2820f3655a

SHA1 hash:

77ccee3a70fa73132f4b92630ff70c4afd614d4f

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/3184c3d8-9ceb-4c87-ae1e-e208f3337756/

Parent samples :

786698eab83f77c1fdc3d37daf49966befe788b0e85167083726354225176d1f
2f2ba4f8549cb5de1822f0382532abdcdbd6fc2ad1f2d5120bb4c9f145e84f08
cdd5fd48f46fd97ca375305008e09d2f6ef61be714c292f22a676ed827ede804
67bf345a4ea3e03b4b58a7d9e47f9d31a93f79fefe4e69067ee6c15250930169
d80690916721f1f23e0c913d3f6c71428464e8141a49763c75e450ef21d984e8
e8720afe9895124761086a0f00aa515997015669cc5332aebe99d5ea02ca7377
31168981af16e0fc209774a91e04e5aaf622cacbed12e970b7a35db0705174d6

SH256 hash:

89064afbf0ea46077e909aed5eed52181cf79e66c0390c256d769b4162fe4947

MD5 hash:

91a0e308489a8497f9fac56ae8b1d917

SHA1 hash:

f9b110e6440c47bc8173b9f841b70f7593d8b030

Link:

https://www.unpac.me/results/3184c3d8-9ceb-4c87-ae1e-e208f3337756/

SH256 hash:

d9f59c4632c5233ad80052a0796c354a9960c2367ba4abdd088b884e7ab02b08

MD5 hash:

803a7c4c2b27149d9908510017a06667

SHA1 hash:

1b0743b89ff8f9d70c3f0fcd00cb4fc9d95e3fa1

Link:

https://www.unpac.me/results/3184c3d8-9ceb-4c87-ae1e-e208f3337756/

SH256 hash:

d80690916721f1f23e0c913d3f6c71428464e8141a49763c75e450ef21d984e8

MD5 hash:

bba45c96ad4627c4c0b1f25fb7a23c7a

SHA1 hash:

6f9c219a08aca7c57f6add9d8a730be6178713c6

Link:

https://www.unpac.me/results/3184c3d8-9ceb-4c87-ae1e-e208f3337756/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.33

Link:

https://yomi.yoroi.company/submissions/d80690916721f1f23e0c913d3f6c71428464e8141a49763c75e450ef21d984e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe d80690916721f1f23e0c913d3f6c71428464e8141a49763c75e450ef21d984e8

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/224319/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample