MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbdfd7a3493471ad1fb43b8c683db5c46a9ae555fb4b64dfd318de53cf4d312b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	fbdfd7a3493471ad1fb43b8c683db5c46a9ae555fb4b64dfd318de53cf4d312b
SHA3-384 hash:	b86de82799a2c2cea66433fccbcf00bfab225492b9378c5a5d74dc3ce4e90620825e594066a31e9029efc18117763609
SHA1 hash:	ba575d2d43af2bd94e82f67498520fde7875677e
MD5 hash:	0b78d13ec3f1dc3c02d309fcd1502ca5
humanhash:	washington-east-football-thirteen
File name:	dhl awb 3452778287การแจ้งเตือนการจัดส่งการจัดส่ง,pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	822'979 bytes
First seen:	2022-10-06 10:01:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	12288:8NbJ7HpRr9e+v2RUdm+53x11oDb4j4XEus+zHlMe:8NF7s+vgSma3x11Cb73Lbye
Threatray	3'078 similar samples on MalwareBazaar
TLSH	T1F105BFD0ED30E88DC10991F0DBAE8FD5C6642D4D6B912CB922EBB719157210DCCDEAE9
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	7cdad8accc9ca4d4 (4 x RemcosRAT, 3 x Formbook, 1 x AgentTesla)
Reporter	abuse_ch
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/317237/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

DNS request

Unauthorized injection to a recently created process by context flags manipulation

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/41506/overview

Behaviour

MalwareBazaar

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ee31685b-37eb-46da-856b-d384c91d694d

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1084811

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Found hidden mapped module (file has been removed from disk)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Snort IDS alert for network traffic

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/fbdfd7a3493471ad1fb43b8c683db5c46a9ae555fb4b64dfd318de53cf4d312b/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2022-10-06 00:11:32 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7pp5pi2jgry22h5uhoggqpnvyrvjvzkv7nfwjx6tddpfht2ngevq._file

Verdict:

malicious

Label(s):

remcos

Formbook

058bce4a498b1f075cd7100d2bc46a205b7d808acde265293efca026125e1857

Formbook

121dd806963977a4c80e98a91e1bccf577d74da295787f7d61ef22cc1026822e

Formbook

38210d71449f0b7d9f390c954672147b155d7314bc0a045b8f256ae60495de3a

Formbook

43f10078024b30fba173f3c40de4f2c2e98d0e879ad682f87bdc9e44ff03c655

Formbook

ebcb09c56c09245ba10f231b7d4bfacdb5615ee6e3820f479f0a0d6488759668

Formbook

f4085209b3190363b6f4cb1ac45ae0f2bfd2e062a065feedb2a82f055a0f1c27

Formbook

f9d08335a32ecefc895aacd51ffbf87e242e681b96b4515b4e3a6627b538f229

Formbook

+ 3'068 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/221006-l17t1shab5/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/508c955a-0779-4ae9-a4af-cc5d52993fc6

Unpacked files

SH256 hash:

b8c2435699460bc99eea88916f592aecdcbea8d4797f1a912c2f5c71e7774533

MD5 hash:

50dd79a31ee53d18bad0e57a43a2d732

SHA1 hash:

e6bc9e8d89f1e9884149d9b55a40487b98ceb93e

Detections:

win_remcos_auto

Link:

https://www.unpac.me/results/cd2da7d0-cd9a-49ed-88f8-d0ce7a8a5975/

Parent samples :

058bce4a498b1f075cd7100d2bc46a205b7d808acde265293efca026125e1857
fbdfd7a3493471ad1fb43b8c683db5c46a9ae555fb4b64dfd318de53cf4d312b
7ab5b185082f0aea6bf04ee4a54b3170205e3b2cdc3f547ce1977e0f34c95916

SH256 hash:

d499b5c21ca03fe75bf58c2f8e689859be330193cb7045d846e2a9a5bede2d2f

MD5 hash:

5cd37957e0e073554a2bee1d44c96760

SHA1 hash:

c50633d8329ca0071834a9ef6b66da7787f3b01f

Link:

https://www.unpac.me/results/cd2da7d0-cd9a-49ed-88f8-d0ce7a8a5975/

SH256 hash:

1252c6d0d91ea56a934b3c21aec3c23bcc3629e69457f855e294e46029528205

MD5 hash:

42180ce56a97eb5441f28c51348f0813

SHA1 hash:

ac3385803f88aba5777db3af7ecd91f4937f41ab

Link:

https://www.unpac.me/results/cd2da7d0-cd9a-49ed-88f8-d0ce7a8a5975/

SH256 hash:

fbdfd7a3493471ad1fb43b8c683db5c46a9ae555fb4b64dfd318de53cf4d312b

MD5 hash:

0b78d13ec3f1dc3c02d309fcd1502ca5

SHA1 hash:

ba575d2d43af2bd94e82f67498520fde7875677e

Link:

https://www.unpac.me/results/cd2da7d0-cd9a-49ed-88f8-d0ce7a8a5975/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fbdfd7a34934/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/fbdfd7a3493471ad1fb43b8c683db5c46a9ae555fb4b64dfd318de53cf4d312b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe fbdfd7a3493471ad1fb43b8c683db5c46a9ae555fb4b64dfd318de53cf4d312b

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/317237/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample