MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de25fb23c83d29dc1a8b8e5b2ff82f1b909c2b4afd9136dc5e93d8300aa8b278. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de25fb23c83d29dc1a8b8e5b2ff82f1b909c2b4afd9136dc5e93d8300aa8b278
SHA3-384 hash: 2913071b49a6765c9ddfbf80458b8f4ce8927215f6b347840b8774e9a4a8b0b9374ffbc2097e36064089d16c2bd14405
SHA1 hash: c22a5efa4d07a4a5594bd0efd25e1ee0e278868c
MD5 hash: b726c246f76d31a1ee1ba46509a79cad
humanhash: cat-oregon-venus-fourteen
File name:Shipping Document.r01
Download: download sample
Signature Formbook
Create hunting rule
File size:595'219 bytes
First seen:2024-02-07 08:28:47 UTC
Last seen:Never
File type: r01
MIME type:application/x-rar
ssdeep 12288:DrPtRklYjvA38Lot8KwpjAwfeP6HSiXlVw/:DLtRk13iHK+swfm0SiX/o
TLSH T161C42352632577054373453BD093F1EAE492EE48A9E2DE94CE3D17020299B7EC7C9AE3
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:DHL r01 Shipping


Avatar
cocaman
Malicious email (T1566.001)
From: ""DHL Customer Support" <support@dhl.com>" (likely spoofed)
Received: "from dhl.com (unknown [172.245.12.86]) "
Date: "7 Feb 2024 06:28:12 +0100"
Subject: "DHL SHIPMENT ARRIVAL PARCEL NO: 116466788"
Attachment: "Shipping Document.r01"

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:gG5dwIYGbEQZBt7.exe
File size:685'056 bytes
SHA256 hash: 78fa533a638b518f838be240f431580d19df296894c35a0cfb3f652312d7d2aa
MD5 hash: 3ecef5ac7ba1208f98d5fa5f83b71507
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65c33f582cb3f19023f39e78/reports/6f47e578-70df-4521-a3dd-9fa1d3fc79a7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/de25fb23c83d29dc1a8b8e5b2ff82f1b909c2b4afd9136dc5e93d8300aa8b278
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de25fb23c83d29dc1a8b8e5b2ff82f1b909c2b4afd9136dc5e93d8300aa8b278/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-02-07 08:28:50 UTC
File Type:
Binary (Archive)
Extracted files:
21
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ys7wi6ihuu5ygulrzns76bpdoijyk2k7witnxc6spmdacviwj4a._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de25fb23c83d29dc1a8b8e5b2ff82f1b909c2b4afd9136dc5e93d8300aa8b278

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r01 de25fb23c83d29dc1a8b8e5b2ff82f1b909c2b4afd9136dc5e93d8300aa8b278

(this sample)

Formbook

Executable exe 78fa533a638b518f838be240f431580d19df296894c35a0cfb3f652312d7d2aa

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 78fa533a638b518f838be240f431580d19df296894c35a0cfb3f652312d7d2aa
  
Dropping
MD5 3ecef5ac7ba1208f98d5fa5f83b71507

Comments