MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff0c4eb94aa281998aa21d84093a51f525583bb2d333b9c02ea0599f3791e21a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff0c4eb94aa281998aa21d84093a51f525583bb2d333b9c02ea0599f3791e21a
SHA3-384 hash: f60e1e21962c57f707dfd6c21633ac27d7a319d1196ef6a7f0a8d9ef4f5ffc1a58b537d80858757ce332f5e3fd83cae2
SHA1 hash: 07c7ef717487f7e413cfaa55157d7dad87856922
MD5 hash: eed9ec7f662df0c4df9cc6516ba95102
humanhash: white-chicken-july-black
File name:DHL Shipment Delivery Notification 24-8-22.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:696'320 bytes
First seen:2022-08-24 15:52:22 UTC
Last seen:2022-08-29 10:59:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:g/4r517Tu3XDG2OZCwvVnveRrKgCTIq8myMFthiQJ5jvf6aj:Zr5p4G2pwoEr8qhy+thi852aj
TLSH T1DDE4012036D94B82C53ECBF55430A49027BEBE1B369BE74E6DC171DE2A35B418652F23
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13101/52/3)
8.6% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL Shipment Delivery Notification 24-8-22.exe
Verdict:
Malicious activity
Analysis date:
2022-08-24 15:57:38 UTC
Tags:
formbook
Link:
https://app.any.run/tasks/759da71d-688f-4149-8d0c-177e828e6a3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/300917/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1506.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug hacktool packed
Link:
https://www.filescan.io/uploads/630649dec9bbd990978f763c/reports/8f048e3d-549b-4c08-b8be-3907d969a277/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21221601-3153-437d-8757-3f2527042997
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1057120
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 689637 Sample: DHL Shipment Delivery Notif... Startdate: 24/08/2022 Architecture: WINDOWS Score: 100 51 www.nudetinderboys.com 2->51 53 www.karanfildengelsin.com 2->53 55 2 other IPs or domains 2->55 63 Snort IDS alert for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 9 other signatures 2->69 11 DHL Shipment Delivery Notification 24-8-22.exe 3 2->11         started        signatures3 process4 file5 49 DHL Shipment Deliv...ion 24-8-22.exe.log, ASCII 11->49 dropped 77 Injects a PE file into a foreign processes 11->77 15 DHL Shipment Delivery Notification 24-8-22.exe 11->15         started        18 DHL Shipment Delivery Notification 24-8-22.exe 11->18         started        20 DHL Shipment Delivery Notification 24-8-22.exe 11->20         started        22 2 other processes 11->22 signatures6 process7 signatures8 89 Modifies the context of a thread in another process (thread injection) 15->89 91 Maps a DLL or memory area into another process 15->91 93 Sample uses process hollowing technique 15->93 95 Queues an APC in another process (thread injection) 15->95 24 explorer.exe 4 6 15->24 injected process9 dnsIp10 57 storekeymack.com 162.241.61.69, 49736, 80 UNIFIEDLAYER-AS-1US United States 24->57 59 avisosautomaticos.com 50.87.146.36, 49732, 80 UNIFIEDLAYER-AS-1US United States 24->59 61 24 other IPs or domains 24->61 47 C:\Users\user\AppData\...\krvhq2dsdkz.exe, PE32 24->47 dropped 73 System process connects to network (likely due to code injection or exploit) 24->73 75 Benign windows process drops PE files 24->75 29 rundll32.exe 1 12 24->29         started        32 krvhq2dsdkz.exe 2 24->32         started        34 krvhq2dsdkz.exe 2 24->34         started        file11 signatures12 process13 signatures14 79 Tries to steal Mail credentials (via file / registry access) 29->79 81 Tries to harvest and steal browser information (history, passwords, etc) 29->81 83 Modifies the context of a thread in another process (thread injection) 29->83 87 2 other signatures 29->87 36 cmd.exe 2 29->36         started        39 cmd.exe 1 29->39         started        85 Injects a PE file into a foreign processes 32->85 41 krvhq2dsdkz.exe 32->41         started        process15 signatures16 71 Tries to harvest and steal browser information (history, passwords, etc) 36->71 43 conhost.exe 36->43         started        45 conhost.exe 39->45         started        process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff0c4eb94aa281998aa21d84093a51f525583bb2d333b9c02ea0599f3791e21a/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-08-24 11:51:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
53
AV detection:
24 of 40 (60.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=74ge5okkukaztcvcdwcasosr6usvqo5s2mz3tqboubmz6n4r4ina._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220824-tbmrjsgfg7/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Adds policy Run key to start application
Xloader payload
Formbook
Xloader
Unpacked files
SH256 hash:
adea027bd878f0e995c0066eb20764c3cd065056426063bb73e47cf4f2d58739
MD5 hash:
9881dfdc199c551f76dc404cc9fc9364
SHA1 hash:
626e6981aa2e0075950a9ea92c3d96a9ca088a83
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/05cd7217-3009-40f5-9dc2-8a4702b45812/
Parent samples :
18ce13c9dc11ab8d14b603076b0d6f3141dd415314be89264c8ff742f01a13a1
b87ec1a86d0c11e1183ec3de93241427e393f0016ff662fe6c9d98af2faf22d5
985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc
80752d3336e20d9b4cea4b4fc36fe2f455e4546a12525cf485e38281072c3633
077d4640e51e8a6cb8b05aafa60f5cb061619f556bed260481f2d537a57515d8
89f8e3f130e2c71f420c6c4a600167a5f76d1adf449b8d3e3d0b9af4d0006c2a
0e915f97c1e12598162ad86bde86879e640daa63cf463fc75302aab6a24c3b15
14017a5f9a46c97ba874b288cb1f56a9ce838a0f91c12d8fbfa4265cef0d312d
e216eb87e85cc5c7e5445d1ff94cf9790c62824c1fc5ca2a3e20f19d54d88ab5
e7cd0bf17d9a651f004222e85511d00d5ab27e21e0a47e9359263caa1280a28d
0e32bb72c1ef51858b7183050fccef196f8dd829796954dbe9a8fbcd65dc5021
d55b3acb7fbeaf698e8b940f755c1363224663da98feee5abf93872e979460e9
24cf298cfd5fd4bd6ffdbd3607aee52a39b3bf4db5123e403c05aae37f485058
58ffed8f3b25296ea15a8f5fe71625db5c1ebad7776b4aa5df441cd0246213e2
d08a604bd1b6b5b1ad0ba58434c156f6efde6b6a81d7956473b6d0731061e788
84cb97d382c34756564d3565524daf43425be7505178379782e50d1ba85b2334
44d486a7d9defaa2ed04fa0f3c7ab9973a8370e432fdb90c9418e3694fa65b2c
3a0f3af2723394a157e27c2f71dffa3c54802ae1cf4a5cff78a835afeffdf8c9
ff0c4eb94aa281998aa21d84093a51f525583bb2d333b9c02ea0599f3791e21a
eafff11f17167c7af139e43f9bffdb251cd5eec87d92cc93f0095b0f3eb38996
ad5003b210c5ed8b9de400328290e3955bdb07de23731475934c299a52dc6e98
9a3a97e6801259fb5c604f364434f5c96c519dc979be88f69488a87e3b1fbd2d
546d510fae0de29da545eda3203b4a47ea41ba27f8f134c0fe902a776ca6a054
10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c
fabf08da20fd8737e3fa9f8955422c8b12d14ca6d99fd16d13cdf5eedea58c46
fc359222307f4fb7aa112c091da0ed90481dea090ae53c9578cada9689da5319
5dd3a0a56d55816a0ffa7a9f2feb75613a68bd2ba9f145bd69ea616e8b8c9c9e
aecb569ce42aa96a5b4cdc6e4c2042bafe867bef4c51f0120ac81b09edb865e6
SH256 hash:
ceda93fdfce3ad8e4f800d4f2d940d793b68b4b0b254b652bf42e13dbd189ba7
MD5 hash:
786afe844ec1723b635cace747b60efd
SHA1 hash:
fa647a584a7fcad392147a182e3a2435b3ad5bb9
Link:
https://www.unpac.me/results/05cd7217-3009-40f5-9dc2-8a4702b45812/
SH256 hash:
1c68b1e0d30b8a3992b826333b4332f7a9fa9bdf53ebc2a8d9044f3b626838ec
MD5 hash:
a55f624e96414e67c69d748a1d8441a7
SHA1 hash:
7782fd17a0c1d431794f6a65c5789e7299a6b6c2
Link:
https://www.unpac.me/results/05cd7217-3009-40f5-9dc2-8a4702b45812/
SH256 hash:
1b6021ec5b3396d6b17a3e40ea80704305fd64e9f4f8f5b578108303961722fa
MD5 hash:
7570a4987a451fce177cb58618d20962
SHA1 hash:
632395a280de51efaca1bb4739d2cb0a3bab8bcf
Link:
https://www.unpac.me/results/05cd7217-3009-40f5-9dc2-8a4702b45812/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/05cd7217-3009-40f5-9dc2-8a4702b45812/
SH256 hash:
ff0c4eb94aa281998aa21d84093a51f525583bb2d333b9c02ea0599f3791e21a
MD5 hash:
eed9ec7f662df0c4df9cc6516ba95102
SHA1 hash:
07c7ef717487f7e413cfaa55157d7dad87856922
Link:
https://www.unpac.me/results/05cd7217-3009-40f5-9dc2-8a4702b45812/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/ff0c4eb94aa281998aa21d84093a51f525583bb2d333b9c02ea0599f3791e21a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ff0c4eb94aa281998aa21d84093a51f525583bb2d333b9c02ea0599f3791e21a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/300917/

Comments