MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de8d23702e0e2dd07e0df01ba775077ff7a6918cb53dbb65680aea65054fd9a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de8d23702e0e2dd07e0df01ba775077ff7a6918cb53dbb65680aea65054fd9a4
SHA3-384 hash: 8e218300fd9c2dc3461797ae9aa785b7b109cb8399062b89c8395aecd427b8665ef765cd1ef42fd914a548494b17f2b3
SHA1 hash: 7e75558da2478c68311fb29c331078316b5955a7
MD5 hash: fa28bfe4ee1dd72996774f1e8e06524b
humanhash: texas-delta-bravo-ten
File name:DHL Notification_pdf.rar
Download: download sample
Signature Formbook
Create hunting rule
File size:2'029'546 bytes
First seen:2023-02-13 09:51:50 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 49152:Wyk3BjXUOQ0ErV39MtzQV/rWWNKG8sbCDMJ73Dhi:WVRjkkSetz4WOKjsbCDS73U
TLSH T1AD9533B8EF65007D98438C5B50EE22E417E2BF9BC3AB94D4D5C032272C65C998CA9D79
TrID 58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1)
41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:DHL FormBook rar


Avatar
cocaman
Malicious email (T1566.001)
From: "DHL Delivery Express <jess@acupuncturehk.com>" (likely spoofed)
Received: "from ikloytzh.acupuncturehk.com (ikloytzh.acupuncturehk.com [88.209.254.100]) "
Date: "Sun, 12 Feb 2023 18:02:48 -0800"
Subject: "DHL Shipment Notification: AWB8114704847"
Attachment: "DHL Notification_pdf.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:DHL Notification_pdf.exe
File size:2'150'912 bytes
SHA256 hash: bfa0c11853ee9aa5f20df491c68ebbd73aecc22b0192f5e964656b84dfc5ecf0
MD5 hash: 1e80fde95cf12cf57b944322804111c7
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27382.Rar5Heur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ea084397e87dd9097e534d/reports/9a0ae2a8-3d86-449b-b1f0-1803df7041f4/overview
Verdict:
Malicious
Labled as:
Mal/RarMal
Link:
https://www.hybrid-analysis.com/sample/de8d23702e0e2dd07e0df01ba775077ff7a6918cb53dbb65680aea65054fd9a4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de8d23702e0e2dd07e0df01ba775077ff7a6918cb53dbb65680aea65054fd9a4/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-13 04:38:15 UTC
File Type:
Binary (Archive)
Extracted files:
116
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=32gsg4bobyw5a7qn6an2o5ihp732nemmwu63wzliblvgkbkp3gsa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230213-l3yn5abh3z/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/de8d23702e0e2dd07e0df01ba775077ff7a6918cb53dbb65680aea65054fd9a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar de8d23702e0e2dd07e0df01ba775077ff7a6918cb53dbb65680aea65054fd9a4

(this sample)

Formbook

Executable exe bfa0c11853ee9aa5f20df491c68ebbd73aecc22b0192f5e964656b84dfc5ecf0

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 bfa0c11853ee9aa5f20df491c68ebbd73aecc22b0192f5e964656b84dfc5ecf0
  
Dropping
Formbook

Comments