MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f386d0a92d33acedfd4ab31747a07377e67da31ff843f4598f16c6de567bfd6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f386d0a92d33acedfd4ab31747a07377e67da31ff843f4598f16c6de567bfd6d
SHA3-384 hash: 09ce2159ba8c3bf2d8dd4b527916fc1ed7e89d7a1550bf2b697ecf69fb8688a473588b3d746114fa4c4a4c77f0c0cc42
SHA1 hash: 87ba3ad1807763cb2e188d0cd92a63cf81206861
MD5 hash: d165ec46cd17db4d3c3c08b141d8a3c0
humanhash: georgia-virginia-delaware-eighteen
File name:DHL.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:14'348 bytes
First seen:2022-06-21 10:58:26 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 384:yUSbHvzngoOEAK82FqeTDB0/Q4sHfRVM34:yZbPTWcvqCHfRg4
TLSH T17152C0D79DCB00CECE5F4AB74D81537C27E4B6C80D249FA03102557838A3AC96B3A5D9
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:DHL FormBook zip


Avatar
cocaman
Malicious email (T1566.001)
From: "DHL Customer Support <ada.fer@gloryoftheseas.com>" (likely spoofed)
Received: "from alansots.gloryoftheseas.com (alansots.gloryoftheseas.com [193.233.182.34]) "
Date: "21 Jun 2022 02:18:52 -0700"
Subject: "DHL Shipment Notification : 3452041493"
Attachment: "DHL.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs1518.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.W32.AIDetectNet.01.14991.8820.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b1a47a08903778452cddc2/reports/993f9efe-bb79-4f36-9c06-a4b6c821df97/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f386d0a92d33acedfd4ab31747a07377e67da31ff843f4598f16c6de567bfd6d
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f386d0a92d33acedfd4ab31747a07377e67da31ff843f4598f16c6de567bfd6d/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-21 09:03:09 UTC
File Type:
Binary (Archive)
Extracted files:
20
AV detection:
16 of 39 (41.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6odnbkjngowo37kkwmlupidto7th3iy77bb7iwmpc3dn4vt37vwq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220621-m3dvdsdbar/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/f386d0a92d33acedfd4ab31747a07377e67da31ff843f4598f16c6de567bfd6d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip f386d0a92d33acedfd4ab31747a07377e67da31ff843f4598f16c6de567bfd6d

(this sample)

Formbook

Executable exe 2fd76f5bd73eeec44ca3ef9a2783e496f66b07f0b6b814f0046ec3aaeac6f911

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2fd76f5bd73eeec44ca3ef9a2783e496f66b07f0b6b814f0046ec3aaeac6f911
  
Dropping
Formbook
  
Dropping
MD5 f7f186620e0ea9f4278baaf94533b6aa

Comments