MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dccd1cdb73b3ea0e4a003f09972055cd5c780467ab3393defbcb442328108b4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dccd1cdb73b3ea0e4a003f09972055cd5c780467ab3393defbcb442328108b4c
SHA3-384 hash: 25f174aedc25c5df902f48585894ba092076ca604aa4e8e81b17ed3868730fb5b6a33cc9a203067e2c9e99ffd4eedc92
SHA1 hash: 4d99f2650b4ad18a0412b2585004d41d272b92c2
MD5 hash: ddb0ee0c952e9b727fa6f891b1f84e92
humanhash: west-georgia-montana-oscar
File name:COMMECAIL INVOICE AND TNT AWB TRACKING DETAILS.PDF.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:760'262 bytes
First seen:2025-04-25 12:12:26 UTC
Last seen:2025-04-25 14:02:11 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:PNa/IU5ILjnigqS5q8o8Kj6vExJW3V5xHeF+deYs5rm2oR+GF5EzYAdQwCWZVVrw:PNsIj3SKoPxcS/YZnRdkImF6
TLSH T14BF4337789065BF962F9E83C0A02164335561594F33E6DAAE496FC2EF80C2E707D2DE1
Magika zip
Reporter cocaman
Tags:DHL FormBook INVOICE TNT zip


Avatar
cocaman
Malicious email (T1566.001)
From: "TNT OFFICE <dhl@geprojectoman.com>" (likely spoofed)
Received: "from serene-yalow.176-100-37-251.plesk.page (unknown [176.100.37.251]) "
Date: "Fri, 25 Apr 2025 12:48:03 +0100"
Subject: "RE : TNT Express //Arrival Notice // AWB #87013580 04/25/2025"
Attachment: "COMMECAIL INVOICE AND TNT AWB TRACKING DETAILS.PDF.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
602
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:COMMECAIL INVOICE AND TNT AWB TRACKING DETAILS.exe
File size:859'648 bytes
SHA256 hash: f99cf9f643c2e4d0517b48a35721b6b6df1feb97895c476650f3364d55fbc77c
MD5 hash: 5b36654061a8756b1ba577874304a004
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.22229.10811.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680b4e20a37ff28e12999a4b
Tags:
micro spawn shell
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/dccd1cdb73b3ea0e4a003f09972055cd5c780467ab3393defbcb442328108b4c/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy masquerade obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/680b7c5b218c4a98ade1d59f/reports/f942b844-e141-4f14-b164-2e3e01981b64/overview
Verdict:
Suspicious
Labled as:
Trojan.Wacatac
Link:
https://www.hybrid-analysis.com/sample/dccd1cdb73b3ea0e4a003f09972055cd5c780467ab3393defbcb442328108b4c
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/dccd1cdb73b3ea0e4a003f09972055cd5c780467ab3393defbcb442328108b4c
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/dccd1cdb73b3ea0e4a003f09972055cd5c780467ab3393defbcb442328108b4c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dccd1cdb73b3ea0e4a003f09972055cd5c780467ab3393defbcb442328108b4c/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-04-25 07:59:49 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3tgrzw3twpva4sqah4ezoicvzvohqbdhvmzzhxx3znccgkaqrnga._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250425-qcpqraxkw4/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dccd1cdb73b3ea0e4a003f09972055cd5c780467ab3393defbcb442328108b4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip dccd1cdb73b3ea0e4a003f09972055cd5c780467ab3393defbcb442328108b4c

(this sample)

Formbook

Executable exe f99cf9f643c2e4d0517b48a35721b6b6df1feb97895c476650f3364d55fbc77c

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f99cf9f643c2e4d0517b48a35721b6b6df1feb97895c476650f3364d55fbc77c
  
Dropping
Formbook
  
Dropping
MD5 5b36654061a8756b1ba577874304a004

Comments