MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfe5b41bc1bd88c37ab8be5285c34f0f5dc2e168e94a9c4d8231879d5e8338f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfe5b41bc1bd88c37ab8be5285c34f0f5dc2e168e94a9c4d8231879d5e8338f2
SHA3-384 hash: 56741d9b77029756e3007aaa53e03df843710b6d5ec177f1660ab10eb72f6bb27efc89a8e64c2ead76e0b25950aadd3f
SHA1 hash: 195f139c7aedc9dc05433d4375beac642a086db9
MD5 hash: 674fb201f46ae83215447bda86ee241b
humanhash: ohio-cola-indigo-sad
File name:DHL AWB#29721.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:490'328 bytes
First seen:2021-11-02 14:14:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:8H+sWHWjfD1xlum3kGGy4b/Vd5C5D6jfEv:8H+52jJxlz2/cv
Threatray 11'630 similar samples on MalwareBazaar
TLSH T136A4AE4273174A0ED41C6BB0EFFB7B145314B7B55972470BAFB5B42B606E2EA2E90702
File icon (PE):PE icon
dhash icon 0c3259796961b24c (12 x RemcosRAT, 11 x Formbook, 6 x AgentTesla)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL AWB#29721.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-11-02 14:44:16 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/70f0d1a9-7865-4c8a-bcd3-2c20dcf1c349

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201474/
Detection(s):
Win.Dropper.Generic-7113183-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/618147ebbf51178dbe48fa14/reports/ec83da55-79b1-4642-ac09-49df14ecb62f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2e25706f-b852-4534-9bd9-d617742539bf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/881386
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspicious Double Extension
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dfe5b41bc1bd88c37ab8be5285c34f0f5dc2e168e94a9c4d8231879d5e8338f2/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 07:28:00 UTC
AV detection:
20 of 44 (45.45%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=37s3ig6bxwemg6vyxzjilq2pb5o4fyli5ffjytmcggdz2xudhdza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
043b45f9d94820186d7324c5f6e0fd7661de15ad29104fd43294e2f3839efa06
Formbook
1c9e70c025667083ad61d9180d1e41872e2da65ef4e3854a6c71501976481051
Formbook
4bdd5968c006f979c68ba686942695680950574bba495136b26bdd166d537ede
Formbook
6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca
Formbook
afb0dcb294330abe26a2e2611f36441607a878844a251bea8be3e9407e238ad8
Formbook
b66060a214c372ff66b8917fee39b5cb6c82972cf7cdfcd64b9ae4b7b7e01bf7
Formbook
c781169f80930851f2174df529d1aaba061c45fd7ef90c5059a7c513bfda3414
Formbook
e83ce530468ceacafc364791ce8de4cdc2b456cb0df25b93ac4055a99b031702
Formbook
+ 11'620 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:g2rc rat spyware stealer trojan
Link:
https://tria.ge/reports/211102-rkkmfacgh3/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.naturigin.xyz/g2rc/
Unpacked files
SH256 hash:
a0e79eb21e1fcf38820c01bc02d965f87ad94db3d0c8eca2f3470a68b38f78bb
MD5 hash:
7502d4005011c8da7a0e1958c196423c
SHA1 hash:
ac38ea38c97db58fbdfeb7f85c99e89eae380f96
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/264f4155-004a-40a3-9224-118d965c71d4/
Parent samples :
1c9e70c025667083ad61d9180d1e41872e2da65ef4e3854a6c71501976481051
dfe5b41bc1bd88c37ab8be5285c34f0f5dc2e168e94a9c4d8231879d5e8338f2
SH256 hash:
d175ad31761766bf05725f5a0cd0a05814f9bd6a40675e4e19ad98e8fa183a03
MD5 hash:
6a6cf7054fc0b87c572efdaf08044dfa
SHA1 hash:
a3c68a676d0a304fd411fd5f86fb9a2aa9b474a4
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/264f4155-004a-40a3-9224-118d965c71d4/
SH256 hash:
4338485af2ae99982f798507f045884178778a3073cdcfa7d97a86d17b6c9baa
MD5 hash:
3312e15ef1638d357e3eb4e1d1ffd2a9
SHA1 hash:
82585dc8bfa9dcb30d749f4b4e1a0f2429c93e73
Link:
https://www.unpac.me/results/264f4155-004a-40a3-9224-118d965c71d4/
SH256 hash:
dfe5b41bc1bd88c37ab8be5285c34f0f5dc2e168e94a9c4d8231879d5e8338f2
MD5 hash:
674fb201f46ae83215447bda86ee241b
SHA1 hash:
195f139c7aedc9dc05433d4375beac642a086db9
Link:
https://www.unpac.me/results/264f4155-004a-40a3-9224-118d965c71d4/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dfe5b41bc1bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dfe5b41bc1bd88c37ab8be5285c34f0f5dc2e168e94a9c4d8231879d5e8338f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe dfe5b41bc1bd88c37ab8be5285c34f0f5dc2e168e94a9c4d8231879d5e8338f2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/201474/

Comments