MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3446e1f5a6de1c690cc7cb5cce30547173164c67d9a4ebb6570545c69b34933. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 22 File information Comments

SHA256 hash:	e3446e1f5a6de1c690cc7cb5cce30547173164c67d9a4ebb6570545c69b34933
SHA3-384 hash:	b3b86f36722fa233cd0b2aad4cacbc405f3b897a736c2597a181c0f759e7f500d060ad8aa86df6d1a60c207720c5722e
SHA1 hash:	fe9ce13b890558a8c85c88cddafdc07fc943012b
MD5 hash:	00e2bb2624c734506abe9d2c5bd89ade
humanhash:	single-wisconsin-music-rugby
File name:	Dhl Consignment details_pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	963'584 bytes
First seen:	2023-11-26 18:30:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:SFtD/619Y/FCmKv9XHzrxHoojg6RDJ23wHENt:q6b6FC31HxFcWUr
Threatray	206 similar samples on MalwareBazaar
TLSH	T1B225E12952B44F9AE8BB93F58568420507F6BEA9403BF39D5DC170DB4E32B814A07B37
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

293

Origin country :

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/460419/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/65638eec2efa450749a70c63/reports/3ecb9167-a491-4dfc-9d59-db1631e7b313/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/e3446e1f5a6de1c690cc7cb5cce30547173164c67d9a4ebb6570545c69b34933

Result

Verdict:

MALICIOUS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9b2b3514-719b-4892-ad07-ac30ef13d9db

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1348111

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e3446e1f5a6de1c690cc7cb5cce30547173164c67d9a4ebb6570545c69b34933

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e3446e1f5a6de1c690cc7cb5cce30547173164c67d9a4ebb6570545c69b34933/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-11-24 10:48:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ncg4h22nxq4negmps24zyyfi4ltczggpwne5o3fobkfy2ntjezq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2bf88c8e82f306e249d71856460626383a4befe7ca9115afbddbae0c7a960242

Formbook

4166ad5cb4dc5c1a94846632840494ae95cb1677130a11443889af9a9c44e8e7

Formbook

878c2055975e65a5cb716bcad258e77ce3c1706f2824616a2ed2bbb2344fbec5

Formbook

e3446e1f5a6de1c690cc7cb5cce30547173164c67d9a4ebb6570545c69b34933

Formbook

ed634911cd271d95fde0200d57e20a5d16a33580ae196d97efcc8b3002a5ebc9

Formbook

+ 196 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231126-w5175sba4w/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

d64c9796114f05fcdb886b9ec12794e2b5a9abdc7af43ffe4b188258b0c6247e

MD5 hash:

af68b5b2076e41f2661538c12ceb7ac9

SHA1 hash:

0e1d9e9972ccc9c9a441bccf0885995ccb2fc787

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/79fd1225-87e6-4cec-9f72-21a1e5b0e7f2/

Parent samples :

ed634911cd271d95fde0200d57e20a5d16a33580ae196d97efcc8b3002a5ebc9
e3446e1f5a6de1c690cc7cb5cce30547173164c67d9a4ebb6570545c69b34933
edfca2e01a1d5e95bc4711d90d76195346104a87ad1ab8347d7e91d8be22b1ca

SH256 hash:

0a351e21008b1210125bc55edc9838942ad40a8e64fd28dada7cfdbf728b7e6e

MD5 hash:

4818f50f932b66aecaf32630944c4717

SHA1 hash:

2a823c0d41a3e0feed74f31bbc0042473aed3a11

Link:

https://www.unpac.me/results/79fd1225-87e6-4cec-9f72-21a1e5b0e7f2/

SH256 hash:

dc2a31ebcef7e1b02ef0b2237da0e126dfebaa6a6336f829c0194b89793e239b

MD5 hash:

3d9dd0ed4f6deb6ad320d84fa5a40542

SHA1 hash:

f2daf79f4bfd1118856e13e1487c99259415d39e

Link:

https://www.unpac.me/results/79fd1225-87e6-4cec-9f72-21a1e5b0e7f2/

SH256 hash:

b40c51212af363bb685b5297ed6bf9f2b327f0ee31987c9eb4eb74fe79d925c6

MD5 hash:

af9c4cbc5be56020a32b6ae6c7d535d4

SHA1 hash:

ecd022f7261025c01779f742832372729e7b2bbf

Link:

https://www.unpac.me/results/79fd1225-87e6-4cec-9f72-21a1e5b0e7f2/

SH256 hash:

7be79072cc3a98be83cd47127cb7dfc01ac89f412e22044f34ec9173179b6a4f

MD5 hash:

c8b26cc44a0dc401b5cfcab260c1f4f8

SHA1 hash:

c5770d1bee47a21f2c16b73eb4297bda95a505f8

Link:

https://www.unpac.me/results/79fd1225-87e6-4cec-9f72-21a1e5b0e7f2/

SH256 hash:

0d834ee95cf7a6b119af4946fff75a87688ce726e4844766bdad82db908d2c28

MD5 hash:

df8c5ad5be6f7b009cb878486e6d66fa

SHA1 hash:

b8a7b2f6982ec13bfb5a6f865157c36455d83240

Link:

https://www.unpac.me/results/79fd1225-87e6-4cec-9f72-21a1e5b0e7f2/

SH256 hash:

fc504f5c1df79ba318c5afa9e26c9b6fb9a258f1b365b652a78bd9e6d0c723b2

MD5 hash:

170d4290be5dd8ad6a5ffab96f1f0bba

SHA1 hash:

abd17c06313aacf13bd77d991116ee4f95c160d3

Link:

https://www.unpac.me/results/79fd1225-87e6-4cec-9f72-21a1e5b0e7f2/

SH256 hash:

f6964e99cc9b11a1caf5990d2c79649834772660b34fec83265c4df1859f7415

MD5 hash:

3733afbccfe8f275a711590618470ded

SHA1 hash:

712bb12efeacf03c13394e7de3e15c7a1c81174a

Link:

https://www.unpac.me/results/79fd1225-87e6-4cec-9f72-21a1e5b0e7f2/

SH256 hash:

7b13bfe99185a9e1f83555c781f7180ffe07a5b6a231a1efe12ed9a5a382ee31

MD5 hash:

990901c3619d5d73fe06e3ab485f1103

SHA1 hash:

579cbc0a09f5f7813de27e7fac5ada41be1d6b05

Link:

https://www.unpac.me/results/79fd1225-87e6-4cec-9f72-21a1e5b0e7f2/

SH256 hash:

ca5702c8046401ad0ffb881334fef67caa6f73ad53de58cd87c782cf54554cae

MD5 hash:

78da0cac2cf03e1ffc52c728dc4f08de

SHA1 hash:

573031ec4506171969af3a87eba41a1642f9305b

Link:

https://www.unpac.me/results/79fd1225-87e6-4cec-9f72-21a1e5b0e7f2/

SH256 hash:

d187aa75dd2c999b0d22933ed56a6c7cecc8115fda453d99fe5d96d806813083

MD5 hash:

b3fa6601c4c2b9d88561d1e0f39c4ac9

SHA1 hash:

1b94d47390fa3a640ca9ec8062660ca593dfca78

Link:

https://www.unpac.me/results/79fd1225-87e6-4cec-9f72-21a1e5b0e7f2/

SH256 hash:

e3446e1f5a6de1c690cc7cb5cce30547173164c67d9a4ebb6570545c69b34933

MD5 hash:

00e2bb2624c734506abe9d2c5bd89ade

SHA1 hash:

fe9ce13b890558a8c85c88cddafdc07fc943012b

Link:

https://www.unpac.me/results/79fd1225-87e6-4cec-9f72-21a1e5b0e7f2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e3446e1f5a6d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e3446e1f5a6de1c690cc7cb5cce30547173164c67d9a4ebb6570545c69b34933

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe e3446e1f5a6de1c690cc7cb5cce30547173164c67d9a4ebb6570545c69b34933

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/460419/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample