MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec4741cb3671f0c7563788e27e03fd2cfae2b7470108cbf9e1603b138d034a11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec4741cb3671f0c7563788e27e03fd2cfae2b7470108cbf9e1603b138d034a11
SHA3-384 hash: 81ef6f2d3c4c7d1183f36ccc11971de1edb6eb5ce3433dd756d58a968f69a44a49bc7487f828d1e25c8261aa0e41b84f
SHA1 hash: 8a3f23548ac66a45a5fba76561757df9bb301c8b
MD5 hash: 4bc8ce54beb8016d78f09425034b3d03
humanhash: fruit-oregon-stairway-london
File name:DHL AWB-5024310182_061222.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:806'912 bytes
First seen:2022-12-06 14:18:31 UTC
Last seen:2022-12-06 15:38:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:momxiPQFQNWbvquj44kgP6Y/mXYGAsjl:moKmQSNWbvn4hs/y
TLSH T18C05E00372AC9B2DD53897B2347A413043B9AF17A480E659BCD1FCEF5536B8C1A11ADB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon ecec889ce6d8e8f0 (40 x Formbook, 21 x AgentTesla, 12 x SnakeKeylogger)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL AWB-5024310182_061222.exe
Verdict:
Malicious activity
Analysis date:
2022-12-06 14:25:25 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/7ac8006a-f31d-4af0-a6c3-454637bafcfa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/343493/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.18804.633.16318.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638f4f590c6473d16719aa04/reports/7c55846f-f785-4498-ba51-511150426c7e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1fd837e-fdca-466d-b588-a7a0bff8fd03
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1129055
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 761791 Sample: DHL AWB-5024310182_061222.exe Startdate: 06/12/2022 Architecture: WINDOWS Score: 100 29 www.bestcolonia.club 2->29 31 bestcolonia.club 2->31 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 6 other signatures 2->41 9 DHL AWB-5024310182_061222.exe 3 2->9         started        signatures3 process4 file5 23 C:\...\DHL AWB-5024310182_061222.exe.log, ASCII 9->23 dropped 51 Injects a PE file into a foreign processes 9->51 13 DHL AWB-5024310182_061222.exe 9->13         started        signatures6 process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 Queues an APC in another process (thread injection) 13->59 16 explorer.exe 13->16 injected process9 dnsIp10 25 www.p-soils.com 162.43.120.154, 49707, 80 CYBERTRAILSUS United States 16->25 27 www.re-curve.tech 16->27 33 System process connects to network (likely due to code injection or exploit) 16->33 20 chkdsk.exe 13 16->20         started        signatures11 process12 signatures13 43 Tries to steal Mail credentials (via file / registry access) 20->43 45 Tries to harvest and steal browser information (history, passwords, etc) 20->45 47 Deletes itself after installation 20->47 49 2 other signatures 20->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec4741cb3671f0c7563788e27e03fd2cfae2b7470108cbf9e1603b138d034a11/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-12-06 14:19:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
11 of 41 (26.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5rdudszwohymovrxrdrh4a75ft5ofn2haeemx6pbma5rhdidjiiq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:d8ax rat spyware stealer trojan
Link:
https://tria.ge/reports/221206-rmvkeshf7z/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Formbook
Unpacked files
SH256 hash:
78c065eb72b05b398f706e7d076af3787a937e3140c35022d4e4b7c117b1ff91
MD5 hash:
4bbf17127a275bedac6855fc68ec4fc9
SHA1 hash:
6fe43bcb8360f54d85d946ad9334ca6897918698
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/8c9a6e7e-e613-47d9-a77c-87615548bba7/
Parent samples :
314cf1d9477fd2d1c1d46503bc2aa48ad0ca137c31bff40d3c821cf3b4ca3bc4
ec4741cb3671f0c7563788e27e03fd2cfae2b7470108cbf9e1603b138d034a11
984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05
SH256 hash:
aaa973abc72f89c1574366a392d7781eb6e06575a0bf5c2e5f8cf118b2723eb6
MD5 hash:
69716c1e731e08f85bf105c3508edc88
SHA1 hash:
49714d5de175207edd161ea59bc710740a71e337
Link:
https://www.unpac.me/results/8c9a6e7e-e613-47d9-a77c-87615548bba7/
SH256 hash:
e473532805dce6e57e888d30dce29fc658798e7d8c0e25ece3057df5fc12f30a
MD5 hash:
1fb7b07f44700e775245255cad435b06
SHA1 hash:
f860512861106fd4edcd517ff5d344e69f2a8263
Link:
https://www.unpac.me/results/8c9a6e7e-e613-47d9-a77c-87615548bba7/
SH256 hash:
c09d42c294a69452ea51b3879ebb8f02a86d6858c2f3ae2df8eb1cf2fdb52e8d
MD5 hash:
da79a00a3e1133c3819e7d909320429c
SHA1 hash:
b90da8609bed9258bae381e4b949f98dcb42ad02
Link:
https://www.unpac.me/results/8c9a6e7e-e613-47d9-a77c-87615548bba7/
SH256 hash:
922915132a628d0050bf03a473370544dde3323627fb4adcba3f1ba869537e50
MD5 hash:
1ecb63625d636b0b8f8ebdece9fa80c3
SHA1 hash:
5623d5ad21fc63893011bae7e4709c51219fcc1c
Link:
https://www.unpac.me/results/8c9a6e7e-e613-47d9-a77c-87615548bba7/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/8c9a6e7e-e613-47d9-a77c-87615548bba7/
SH256 hash:
ec4741cb3671f0c7563788e27e03fd2cfae2b7470108cbf9e1603b138d034a11
MD5 hash:
4bc8ce54beb8016d78f09425034b3d03
SHA1 hash:
8a3f23548ac66a45a5fba76561757df9bb301c8b
Link:
https://www.unpac.me/results/8c9a6e7e-e613-47d9-a77c-87615548bba7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/ec4741cb3671f0c7563788e27e03fd2cfae2b7470108cbf9e1603b138d034a11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/343493/

Comments