MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 002b24f62c62453804f766ba04f783a0ff57f2e6df6f0a22e360d9f5505a0764. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 002b24f62c62453804f766ba04f783a0ff57f2e6df6f0a22e360d9f5505a0764
SHA3-384 hash: 4bf6219d09310de1cfb23873b3abc5ab1fad80d1195564eb32bb172ac3728d21b4bcff03dad8e9fd7879dede5042e63d
SHA1 hash: 567a126135f6ded2cd20b87bf03e01c66091ca4b
MD5 hash: 7788c19345133b8e39610c267981f75c
humanhash: skylark-zulu-ceiling-single
File name:PO-000001407.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:764'416 bytes
First seen:2024-10-08 12:29:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:CyFx5mU+8kYHac2NxReO4hKJ9XWnzppU6RqRh3/ezT5zdO00zt87otoQSdO1Jqm/:TFxxw8ac2Nb54hyXeZOhvezVzZ0iotmK
TLSH T16DF4125127EC1721DABE0FFCB83695108BB7B928383AEB4D5E9E60CA07637044D61727
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
359
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-000001407.exe
Verdict:
No threats detected
Analysis date:
2024-10-08 12:45:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d9a00120-b9f0-48e7-9a38-83000924d0eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3041.13848.31808.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670525d1a69182ddbe5cff23
Tags:
Powershell Micro Spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed phishing vbnet
Link:
https://www.filescan.io/uploads/670525de06f0c2314b42df2a/reports/2b9d783f-a1eb-408a-9915-eb7db251597b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/002b24f62c62453804f766ba04f783a0ff57f2e6df6f0a22e360d9f5505a0764
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7a22745-7dd0-4228-9add-814beabf5f5f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1528975
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528975 Sample: PO-000001407.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected FormBook 2->26 28 5 other signatures 2->28 7 PO-000001407.exe 4 2->7         started        process3 file4 20 C:\Users\user\...\PO-000001407.exe.log, ASCII 7->20 dropped 30 Adds a directory exclusion to Windows Defender 7->30 32 Injects a PE file into a foreign processes 7->32 11 powershell.exe 23 7->11         started        14 PO-000001407.exe 7->14         started        signatures5 process6 signatures7 34 Loading BitLocker PowerShell Module 11->34 16 conhost.exe 11->16         started        18 WmiPrvSE.exe 11->18         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/002b24f62c62453804f766ba04f783a0ff57f2e6df6f0a22e360d9f5505a0764
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/002b24f62c62453804f766ba04f783a0ff57f2e6df6f0a22e360d9f5505a0764/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2024-10-08 12:30:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aavsj5rmmjctqbhxm25aj54dud7vp4xg35xquixdmdm7kuc2a5sa._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241008-ppgp8sxdkk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/53b5cef2-cf88-4fa8-9ff9-c926408b11ff
Unpacked files
SH256 hash:
c1cc57b06760ee6e7038873addee5ca9f3e2f21fc42ac91cb2f71cdbc45aa90a
MD5 hash:
5bd2b9c4417f79a4d020bb094728db1d
SHA1 hash:
655b482f7daf3415db67253b6e96ce44e2f53ca7
Link:
https://www.unpac.me/results/f5383a4d-ca10-4903-a029-333085f0e3ce/
SH256 hash:
91e1f1fcd38f4922fb63fdf0dd76d98cc255fd9f6146d0c8c2d679d752eb79d3
MD5 hash:
5946625d1dac8427d589352d8ecd5cbd
SHA1 hash:
af0e7a570dc0d6d273b7c3dc214ebc1fefe3a334
Link:
https://www.unpac.me/results/f5383a4d-ca10-4903-a029-333085f0e3ce/
SH256 hash:
74034e180b50ec72692dfbe524d357efeb65a838dab761ac9bb30a548bb1d3f1
MD5 hash:
7d6a621d54953e01b2dab8d6a0f15a21
SHA1 hash:
679b3d33c4a6b8f383efb4b6f1db9a2a75a10346
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f5383a4d-ca10-4903-a029-333085f0e3ce/
SH256 hash:
682c261fcd08c676ef231f46eac1c054c8df17522846b9e4adbafb62e8482dab
MD5 hash:
5a6cead6de3340dd9e0b16d599e5d1f5
SHA1 hash:
00e25f93284ff0d2493c6df3a596891d0848399e
Link:
https://www.unpac.me/results/f5383a4d-ca10-4903-a029-333085f0e3ce/
SH256 hash:
002b24f62c62453804f766ba04f783a0ff57f2e6df6f0a22e360d9f5505a0764
MD5 hash:
7788c19345133b8e39610c267981f75c
SHA1 hash:
567a126135f6ded2cd20b87bf03e01c66091ca4b
Link:
https://www.unpac.me/results/f5383a4d-ca10-4903-a029-333085f0e3ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/002b24f62c62453804f766ba04f783a0ff57f2e6df6f0a22e360d9f5505a0764

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 002b24f62c62453804f766ba04f783a0ff57f2e6df6f0a22e360d9f5505a0764

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments