MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaeb4a70b5df25c40d3e443b2f4b3adbd193b0ed7ffcaf4c5ca3d5e9955134ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	eaeb4a70b5df25c40d3e443b2f4b3adbd193b0ed7ffcaf4c5ca3d5e9955134ef
SHA3-384 hash:	9f5e4e59e72cc1d213a96acef678dc7be66c89aa7e77c07237d6b76d119e25bc18bdd9df8e6c806e1447b5695e63f96a
SHA1 hash:	19b77d1975995e7e7d4587075e939f02bf3a1418
MD5 hash:	2faeb35dfdd6697b4721d70094a8eebb
humanhash:	pizza-sixteen-magazine-tennis
File name:	DHL Confirmation CBJ211011128996.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	784'384 bytes
First seen:	2021-10-18 09:29:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c27a46121fdf0c7d592b2676dec19736 (5 x Formbook)
ssdeep	12288:U2QfYldSyZTiq8WIPK2gMrKkuAV/LFLtF/ULvFfji6O6BxB:UrfByZKz5ge/DFLtF/QFfji6O6BxB
Threatray	10'796 similar samples on MalwareBazaar
TLSH	T1D3F46C1EEBE204BBF037617CFD0AE67C1895AF501AA4A04239EF795C6B3C64251253E7
File icon (PE):
dhash icon	903134f0e8aa55a8 (8 x Formbook, 2 x Dbatloader, 1 x BitRAT)
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

172

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/198084/

Result

Verdict:

Malware

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/616d3ea0db358dd15ebeee41/reports/c184b62d-7181-415b-b1b6-ed55401299ad/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dbatloader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5f97f24a-72b2-4768-b2e6-cc3412c2b330

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/872108

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eaeb4a70b5df25c40d3e443b2f4b3adbd193b0ed7ffcaf4c5ca3d5e9955134ef/

Threat name:

Win32.Dropper.Dorifel

Status:

Malicious

First seen:

2021-10-17 23:42:25 UTC

AV detection:

16 of 45 (35.56%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5lvuu4fv34s4idj6iq5s6sz23pizhmhnp76k6tc4upk6tfkrgtxq._file

Verdict:

malicious

Label(s):

formbook

Formbook

5c175aad872d219fa23de0c83ea085fbdca8d76601167089b4e55ee66d520276

Formbook

6c6411e168c6e04022e9314130b25ae03380de6791d6a801f150679fddb64934

Formbook

90e1eac40edda005fffadbb1d16c652d16e685f8f4cf7375eb6ac928222c3a1c

Formbook

96a54086e0d1667ed27dacd61ce88129d2ae1236718babe4ee5b3054385cc215

Formbook

99cdf3421923232c160c5075af3bf8620df65bd59cf99cc341f17a58e1eeb4f2

Formbook

f5447c22561c0692e385ef3c0ef0ed84d4ce35042f0839bddd7de9aeaa1f777a

Formbook

f79690a1d55d2a07ff407ca6a7e74dfc8097d9c63d6fa59adc2e03c73d39290b

Formbook

ff577215d4aaa29ae63860167282ceeb0a703daadfdaef2155102500c269caa2

Formbook

+ 10'786 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:n5fq loader persistence rat suricata

Link:

https://tria.ge/reports/211018-lghe1secam/

Behaviour

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Blocklisted process makes network request

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.hanseionlinemarketing.com/n5fq/

Unpacked files

SH256 hash:

2c445b887ee8e82dc1256c5042b465cf9294df5df96c3043f9927f21a9225b16

MD5 hash:

ee4f84d3e9caefcf462f319104860abd

SHA1 hash:

649465bbd208cbdc3e2b474ae35e17aca306d465

Detections:

win_temple_loader_w0

Link:

https://www.unpac.me/results/e5c08f26-9ebb-41ca-8ce9-1ab17145d833/

Parent samples :

ca74d0e5b26cf6d8d5e3b04c607f4dacaf6fabc78d369dcb8d3637d6ce72e6bb
1cb6deac4e20e2a13002d118fc863a0757409bab2f45a9390529f1e6ad5217fc
eaeb4a70b5df25c40d3e443b2f4b3adbd193b0ed7ffcaf4c5ca3d5e9955134ef
96e14fedf020cef802a005cf9289d7c8f8a0f2bd516fee5f4096cf36a2f2c1e3
2a9bac8b5d947ef5f72c65bff3fe97d7ffd3602ec49915693987cd9909512187
22dd73a06a3bff8a7866c95b5191aa6a7b57d67d632b2373235e7b2ba4fd46fa
1a261ffbe76d224c7d9f9136723f1cdf35f661d0e5a38f43a7ee2cb31606f359
1e5bb5e00fddfcc62c8bfe71b46a4c8c6c22986c7a51931d16b8ddc465170d72
c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6
42e09f0e4d7ab0448e04d5d31fbc63cfb2df988f848853a5a149ff5454040184
ff27831341c8b2477f8f59094764e8c4341be79c3f678f27cc425aef3b1ab21b
6814190b4099c532caabe663df73d8ee0c7d70b55db3c69c56eefc1dc1d162f5
c14cd408876aab6eecaf7354dade35554e21c7a3a784fda79ae5f6d6349f15ff

SH256 hash:

eaeb4a70b5df25c40d3e443b2f4b3adbd193b0ed7ffcaf4c5ca3d5e9955134ef

MD5 hash:

2faeb35dfdd6697b4721d70094a8eebb

SHA1 hash:

19b77d1975995e7e7d4587075e939f02bf3a1418

Link:

https://www.unpac.me/results/e5c08f26-9ebb-41ca-8ce9-1ab17145d833/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/eaeb4a70b5df/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eaeb4a70b5df25c40d3e443b2f4b3adbd193b0ed7ffcaf4c5ca3d5e9955134ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/198084/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample