MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d860f7f4cd3767f61baa052dba19ab8df2c1f1e1b76a7a86eff40a676ba391ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d860f7f4cd3767f61baa052dba19ab8df2c1f1e1b76a7a86eff40a676ba391ad
SHA3-384 hash: 2d6097354ba533c9637e7fc3d9a152050b00255d7ea008b57fb8d0b7448d80197259433cdbb49b92b1bfa58d14fdcc7a
SHA1 hash: 688a3a1d7924e7942cc17a0aa90e357b87a1b4b2
MD5 hash: d1876d3139b2296d6a714d434b1a5d38
humanhash: spaghetti-burger-alanine-mango
File name:DHL_Original_Shipping_Documents_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:515'421 bytes
First seen:2023-11-03 07:53:50 UTC
Last seen:2023-11-03 09:20:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:lPiFud56vB1ZEP490rxXudCu3M6erLQ/IOoTLZ:lPiFud5gBDEQ90rx6J3M91LZ
Threatray 5 similar samples on MalwareBazaar
TLSH T1ECB4E0D2E48041A4FC591F7561338C39A467BEBDADB4AA8E1A9DB5703B732C7003794B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9999505523211729 (2 x Formbook, 2 x RemcosRAT, 1 x GuLoader)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457960/
Detection(s):
SecuriteInfo.com.Trojan.Garf.Gen.7.21879.12261.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6544a725b38131f117ad32dd/reports/d79e2b01-1313-4d99-a58d-67d3dd4630bd/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d860f7f4cd3767f61baa052dba19ab8df2c1f1e1b76a7a86eff40a676ba391ad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7cb7031-859c-4689-9846-e5f7edbb5804
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1336486
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Drops PE files with benign system names
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1336486 Sample: DHL_Original_Shipping_Docum... Startdate: 03/11/2023 Architecture: WINDOWS Score: 100 44 www.winsup.xyz 2->44 46 www.unisocks.live 2->46 48 12 other IPs or domains 2->48 66 Multi AV Scanner detection for domain / URL 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 7 other signatures 2->72 11 DHL_Original_Shipping_Documents_pdf.exe 17 2->11         started        14 svchost.exe 1 1 2->14         started        17 svchost.exe 13 1 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 42 C:\Users\user\AppData\Local\...\phlzhexoq.exe, PE32 11->42 dropped 21 phlzhexoq.exe 1 3 11->21         started        56 127.0.0.1 unknown unknown 14->56 file6 process7 file8 40 C:\Users\user\AppData\Roaming\...\Svchost.exe, PE32 21->40 dropped 74 Multi AV Scanner detection for dropped file 21->74 76 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 21->76 78 Maps a DLL or memory area into another process 21->78 80 Drops PE files with benign system names 21->80 25 phlzhexoq.exe 21->25         started        28 conhost.exe 21->28         started        signatures9 process10 signatures11 82 Maps a DLL or memory area into another process 25->82 30 RubtaYUxaX.exe 25->30 injected process12 process13 32 cipher.exe 13 30->32         started        signatures14 58 Tries to steal Mail credentials (via file / registry access) 32->58 60 Tries to harvest and steal browser information (history, passwords, etc) 32->60 62 Writes to foreign memory regions 32->62 64 3 other signatures 32->64 35 RubtaYUxaX.exe 32->35 injected 38 firefox.exe 32->38         started        process15 dnsIp16 50 www.winsup.xyz 203.161.53.83, 80 VNPT-AS-VNVNPTCorpVN Malaysia 35->50 52 gyoseisyoshi-jimusyo.com 219.94.128.69, 49717, 49718, 49719 SAKURA-CSAKURAInternetIncJP Japan 35->52 54 7 other IPs or domains 35->54
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d860f7f4cd3767f61baa052dba19ab8df2c1f1e1b76a7a86eff40a676ba391ad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d860f7f4cd3767f61baa052dba19ab8df2c1f1e1b76a7a86eff40a676ba391ad/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-11-03 01:47:17 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3bqpp5gng5t7mg5kauw3ugnlrxzmd4pbw5vhvbxp6qfgo25dsgwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
900d518389fffe99ee1fd546a9af47aeb109b0d8500139fdb3155d6916afd810
Formbook
aac65be361846da8dcffed72adc62c23fa81ffb6b140862fe3bd24dbb0b5bada
Formbook
afa3fdb1128e9f1c66459130cd28486858ed1e04ef553f7e51f06fc70a9cda0f
Formbook
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/231103-jrka9aea91/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
d860f7f4cd3767f61baa052dba19ab8df2c1f1e1b76a7a86eff40a676ba391ad
MD5 hash:
d1876d3139b2296d6a714d434b1a5d38
SHA1 hash:
688a3a1d7924e7942cc17a0aa90e357b87a1b4b2
Link:
https://www.unpac.me/results/e9d50f75-bdc6-4e39-9001-baafe1a71782/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d860f7f4cd37/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d860f7f4cd3767f61baa052dba19ab8df2c1f1e1b76a7a86eff40a676ba391ad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/457960/

Comments