MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9454d0787965826c1f6e031eb78495f153453fca4efea4ed993dceb61f2e3d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9454d0787965826c1f6e031eb78495f153453fca4efea4ed993dceb61f2e3d8
SHA3-384 hash: 843104f5c65805771bff860f64237bf2b52d149e24291a2c3f3a1d517d810fa7c1fee2b6e606fe1de47a7b89f378a0ec
SHA1 hash: 7d1e96ee1bbc229453fc30a15a8f2ebccfee4f12
MD5 hash: 28a73f327157c5f56e666607b184de43
humanhash: network-india-idaho-stream
File name:DHL Receipt276334511.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:261'366 bytes
First seen:2023-06-14 14:29:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep 6144:/Ya6IAxKmCd9OsUOOXk12w5LLMlaxBTNrZj:/YeAqnaMvZTNVj
Threatray 2'493 similar samples on MalwareBazaar
TLSH T11D441284B6D8DC03F0B76BB15E356E4A67F9CC2114B4C75B33211E9AF662B04A91F712
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL Receipt276334511.exe
Verdict:
Malicious activity
Analysis date:
2023-06-14 14:33:11 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/ca30925a-4cb8-432c-9ec6-b832e416b7df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398864/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.23012.5066.21274.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Sending a custom TCP request
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90726/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6489ceed42c89170f6ec4d4c/reports/e0fe97e2-4c67-4a26-9c68-7fec98dcd6e9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f9454d0787965826c1f6e031eb78495f153453fca4efea4ed993dceb61f2e3d8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac0907cc-4790-4e06-9c68-1a23cfdef0d1
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1254602
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found API chain indicative of debugger detection
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 887627 Sample: DHL_Receipt276334511.exe Startdate: 14/06/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 9 other signatures 2->42 10 DHL_Receipt276334511.exe 19 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\fawxxi.dll, PE32 10->28 dropped 54 Detected unpacking (changes PE section rights) 10->54 56 Found API chain indicative of debugger detection 10->56 58 Maps a DLL or memory area into another process 10->58 60 Tries to detect virtualization through RDTSC time measurements 10->60 14 DHL_Receipt276334511.exe 10->14         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 3 1 14->17 injected process8 dnsIp9 30 www.g6mnt.xyz 198.44.238.118, 49695, 80 SUPERCLOUDSLIMITED-AS-APSUPERCLOUDSLIMITEDHK United States 17->30 32 websites.durable.co 172.64.151.154, 49696, 80 CLOUDFLARENETUS United States 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Performs DNS queries to domains with low reputation 17->46 21 wlanext.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f9454d0787965826c1f6e031eb78495f153453fca4efea4ed993dceb61f2e3d8/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-06-14 14:26:47 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fcu2b4hszmcnqpw4ay6w6cjl4ktiu74utx6utwzspoowyps4pma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
142f8b22d894f1fee4c501acbc425edec276004d5d30ab7572cdfab85e89ad12
Formbook
28c3fe7155927cb7482afbe59c25193a1a34856caa296cec11f9a3404df33d7c
Formbook
3f95d87b384d8cc5b0689015483cf19f23bf75ae1f75f5043aed44dcf1cf07d1
Formbook
4422661ccc0d1ca90ea0427fbe9eacc398d819ef1f557c163a686fa127444c3a
Formbook
4f3beb04e0d4713530c2f9c369c300186ab01d902f060a904e5648490e8ba708
Formbook
6edd37fb895163628297cdcf7898da03027b960434bcae3404cd9fec27de1012
Formbook
92814573275c2578716e36854e2a8caca2be8e761b8dbecc3adb981d8ec656d3
Formbook
f14965866d8a9a8c9a12cb2bef6c0cf53e72cbf7f8f61477b42f7aa4f9b417be
Formbook
f45ed09f500667f7fbae32453fa1464a6003dc9ef3be284e156a43bacd3c2147
Formbook
f51bdb3c0026435904048abffb411be8b57143de59d0e66a3e2dfa3f2e5692ad
Formbook
+ 2'483 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:j0c7 rat spyware stealer trojan
Link:
https://tria.ge/reports/230614-rt6ahaac6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
e80e456cb4a02153cec43ab40cdf7379be90e97920bb38aff6125c532d3eed7f
MD5 hash:
eff26eb063dbe37b1bd354c13a7e896c
SHA1 hash:
dba64e228f2ebc6dd33a97cb041b9e9d2acbbef2
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/042d266e-33dd-4cff-9df5-55230d50d2da/
SH256 hash:
2c6d8b2075cf8e73b671608a197b8d9ea80f4b96bcbe5931232405f19e8d1885
MD5 hash:
be44b99756f0c34c7873d839f0f49736
SHA1 hash:
5a0477f1ffa4b4cbe1a5c5edaf2a1878d265ab5c
Link:
https://www.unpac.me/results/042d266e-33dd-4cff-9df5-55230d50d2da/
SH256 hash:
f9454d0787965826c1f6e031eb78495f153453fca4efea4ed993dceb61f2e3d8
MD5 hash:
28a73f327157c5f56e666607b184de43
SHA1 hash:
7d1e96ee1bbc229453fc30a15a8f2ebccfee4f12
Link:
https://www.unpac.me/results/042d266e-33dd-4cff-9df5-55230d50d2da/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9454d078796/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.89
Link:
https://yomi.yoroi.company/submissions/f9454d0787965826c1f6e031eb78495f153453fca4efea4ed993dceb61f2e3d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/398864/

Comments