MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 00f7a2f6f6aa920955b8102fbb0df70ed31a8e063f0da8b31297049236313590. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 12
| SHA256 hash: | 00f7a2f6f6aa920955b8102fbb0df70ed31a8e063f0da8b31297049236313590 |
|---|---|
| SHA3-384 hash: | 3b48237e3b557ee6fcf5182a12e15df97cf041dfec8bc68bacc5570188c2a186185452f6798be5f20c3361d9ce5569fa |
| SHA1 hash: | 78e76f5cf3ff68e4d5f214d9f4464384fb7534d7 |
| MD5 hash: | ece1282592e596af33920d3ed64f5975 |
| humanhash: | indigo-nitrogen-item-pluto |
| File name: | Justificante de transferencia ES070049 EUR27904 221710.exe |
| Download: | download sample |
| Signature | Formbook |
| File size: | 847'872 bytes |
| First seen: | 2022-10-17 16:06:43 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 12288:11s/+CgtbIMbFvuWYhIHUquQWWzRAfnI0gPpsk6m5jo7z6pHBYEvIr:xCgtbFIzh4yfnTgOtmdo3eHO |
| TLSH | T16C057BB615D24517E425327588C3E2F32AFB9D60B061D1C39AD76F6FBC840BB961338A |
| TrID | 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13) |
| Reporter |  malwarelabnet |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.FormBook
Status:
Malicious
First seen:
2022-10-17 15:46:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
23 of 42 (54.76%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
formbook
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook campaign:jr22 rat spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
a3eba40fbfb3681e240ed1dda348e16880a4e06a9990cbb6248a3be71bad4650
MD5 hash:
da2d6df235ec9fbc62e4787b0a0d2864
SHA1 hash:
846014461b5efddb0bf58dc62a5a2791aec58dbd
Detections:
FormBook
win_formbook_auto
win_formbook_g0
Parent samples :
53cc734dfa4d7b0bfa0cd0e14af42363792980b96bf42ef0581a8cbc05f5bb82
759145621f94949b40fccce63ea37d4d797d9a8548e0e2243bc53cd8b38d5ed8
14b54b7a4da97a23f3087f1b7641136dbd2d54930722dbf44afbc582e8aeb93a
fb153302b37f24aa962a21dfd2412a8066db5a7440f90ecd9611992c265af5b7
227b1adbf8ac110359ca5f0b02f8c371e8305efd24dc6864d3fce51f703ba76f
676416e2c1407bc9019df6f3228e3fad314beb2c7407a537cdeeaddb85fd1360
d129440d60999cafe3d6b5dd963f432a9dbcf984ecbaf6a8e804fa83774aa27d
4a8431b326b81b6a7511866390b22fad55234b730d7b1f02ff49664651d23b05
884a00ed9586fb90dacafb862e1109e3bf77181e0da9753f8d1d14447b3ca377
babfc42e0af2245a67e8b245bdd1f5e11c840cae6e06ecbc6593ed62f4dd2175
457abec90e7a3b7dfbe608a34190a08b1a8ef3b16afe476abb39678da853a7da
a4a1a724d5b3303e41f303298a3506cdbfa9913a43381c374968b3b5e015aad4
d51e64e598f57356d2e7f0ab76723cc0d1efef0c6ed396d29efa50a229a82a4d
95ff1b2ac39df0ad2ea1949b63257b6312caadc9da7fbe292f71e6a3d4c8c624
49790af2d4dbcb19d9467b8c3fffc208ec92eb4368bb2e98102699ec28501667
709fadc9b117a1a600f71c727e8c2c879434d118f79e033f7a2aca969068c9cc
49bee43f1928c8c6cf9c0d2d692df4581235784d51ded3051685fd18a51d5599
c2a2e935606e9b8d5ffc48c3fe91812e29f8abf0de31abfd6eb4d014fe781e5a
00f7a2f6f6aa920955b8102fbb0df70ed31a8e063f0da8b31297049236313590
22445431e206fbef66234fe0e6bea47e01e1119157048059c918500027f016fe
1edc58836efa9d62f0257732fd5729bb5b36df6312aca2f29d12dce0731a0c2b
4abe84412ba863045280e803595082ce90ce2684640da996c6f2987a9c4cba32
e8db90d8d2528f0767e5b82262223e07578e29f8e4166df3cf495318006ebbd6
32a657e250df4fd725a82f39075a8b2286d4e5a0d305df66deba979488c22312
48b6f902f4f54d1b87cac19db77d780623796062a1be32c858c8cf1881b1acbd
a14a7402e2a08d44585f37122f323cfbfd13f2e5d36377242e60dba60a348610
e63c3b11d92150b40ea8e1a34314be6055aee5214b3558473c539e9aa33ec150
35511df3a80e96c275e6d63f58921358bf51dbef3f981a316d2212242112ba9f
3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02
d81949804bc29604ac2de2ac9f2d360deae54a39d28edfbc9b323868b619b059
b3d799fc625b259d9572ca933476c856f5cd821cde94e5360f1ea1921a6427ec
c1b6263682ff4c894af9df16a4f6c63bcd49248f2a580b3a3c86012d44388437
e8bc95bd3989e65c252e733adab5c16d51b18c19bccdab299d914cf6df922826
8987e10cdb8602039c7980d8a3d3736dbc9c65da17ffbc1a5844ae1da1d2ea9f
2016dcdb738fdd4dbcc09bad9e63604259b3b43ff2df2c9a5fc8d26d0cf6ca4c
ae1f2c8fd75695601dbe0f3b3fd00922495add9f623a81c0989c0fd17f10776b
5fc72e527c95078de299e57ba9a01084691efbc8cd9d4a5d5999db4506c6f46a
da09c2de0b3ff15f2a68fcb18c12bd974a1b67d282f09f0941a64d08d9af83a7
4f878a5470b9cd89d1db651b83471d169e825150b4063a1cce12ea0e747b187f
c3a388437fe334c0af827aaba2b9bbc4bd622b93faa6f8ecf39660e110a4affa
1c38daf9f1fd8cf3cc954ac18893d3d7cd9ebee75b49ce29fb885910d83740fd
ae5b981a55ba0eaa4cb03700d54e3a78799590691315b2973ef1e4e16b2e8c9d
bbce59cd09b98759f1e8de287441906c11a8698581e9a84e302626e48abc7c38
35e4bbcb475db082d2dda25b1e2acc001567abe7bbb4c0975827c800a529b2f4
2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732
fcc1683097894f7f965dcbb2abcd28e98f4ab15e925ceaa75ae35bcf0c88f372
b3811fa28d3e22cf5029476f6870c54e7fcd4d68da1342bb199ca6d41ed9ff56
a6821b8dbe19bb7e7b1b43e26f7a48c4b3ded583ff774e7a754b303af70ffe10
d2da367f408927aed9dc92251cc05f67a7032b9f59eafc1db59c1cc4aa71646a
4665c6ecef9d50ede04cfe2946684aead2040e9e1321d6324801e18673f67271
033533baa2ac7c6e43f18048aa02f5b150ab86384fd95fb4d49e58660f2c5d2f
3adaefb94e006670d66c9675ecf47b65a27bc39325bf96432c79ce47d473edcc
c4333322e47f6528c43a77936dea4bcf9230a3ec68c527d931d3c1c8f6232baf
1a166a2469e8634ab832469a47076affd97eec7d5b4855f33879960e559a235d
679e687ae1611a7eb7d00d06c9f8ae37b9168838c9ff9b822174f6b0de6304d0
b289fe67b0185e1ba0177f583675ce399772bf03fd813d47835c45427f71fbf0
b6209f2e0f32d7b0b3bc43b87bd3b44349ea80587db13d6d02ca6398d4459f6f
3e07d75e18bdabe5880fe8e4dbd5fad1b9d2c111ee6f43b35ddb5ff8286fd2e7
2484791ea3c160c3de266ebd831f707da64d5e5f31ed81270bf18947128d0933
ae53e378d16d207d5bf419aba715a89f84a0db8e7de1fb4ff0545d54cac1eb50
759145621f94949b40fccce63ea37d4d797d9a8548e0e2243bc53cd8b38d5ed8
14b54b7a4da97a23f3087f1b7641136dbd2d54930722dbf44afbc582e8aeb93a
fb153302b37f24aa962a21dfd2412a8066db5a7440f90ecd9611992c265af5b7
227b1adbf8ac110359ca5f0b02f8c371e8305efd24dc6864d3fce51f703ba76f
676416e2c1407bc9019df6f3228e3fad314beb2c7407a537cdeeaddb85fd1360
d129440d60999cafe3d6b5dd963f432a9dbcf984ecbaf6a8e804fa83774aa27d
4a8431b326b81b6a7511866390b22fad55234b730d7b1f02ff49664651d23b05
884a00ed9586fb90dacafb862e1109e3bf77181e0da9753f8d1d14447b3ca377
babfc42e0af2245a67e8b245bdd1f5e11c840cae6e06ecbc6593ed62f4dd2175
457abec90e7a3b7dfbe608a34190a08b1a8ef3b16afe476abb39678da853a7da
a4a1a724d5b3303e41f303298a3506cdbfa9913a43381c374968b3b5e015aad4
d51e64e598f57356d2e7f0ab76723cc0d1efef0c6ed396d29efa50a229a82a4d
95ff1b2ac39df0ad2ea1949b63257b6312caadc9da7fbe292f71e6a3d4c8c624
49790af2d4dbcb19d9467b8c3fffc208ec92eb4368bb2e98102699ec28501667
709fadc9b117a1a600f71c727e8c2c879434d118f79e033f7a2aca969068c9cc
49bee43f1928c8c6cf9c0d2d692df4581235784d51ded3051685fd18a51d5599
c2a2e935606e9b8d5ffc48c3fe91812e29f8abf0de31abfd6eb4d014fe781e5a
00f7a2f6f6aa920955b8102fbb0df70ed31a8e063f0da8b31297049236313590
22445431e206fbef66234fe0e6bea47e01e1119157048059c918500027f016fe
1edc58836efa9d62f0257732fd5729bb5b36df6312aca2f29d12dce0731a0c2b
4abe84412ba863045280e803595082ce90ce2684640da996c6f2987a9c4cba32
e8db90d8d2528f0767e5b82262223e07578e29f8e4166df3cf495318006ebbd6
32a657e250df4fd725a82f39075a8b2286d4e5a0d305df66deba979488c22312
48b6f902f4f54d1b87cac19db77d780623796062a1be32c858c8cf1881b1acbd
a14a7402e2a08d44585f37122f323cfbfd13f2e5d36377242e60dba60a348610
e63c3b11d92150b40ea8e1a34314be6055aee5214b3558473c539e9aa33ec150
35511df3a80e96c275e6d63f58921358bf51dbef3f981a316d2212242112ba9f
3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02
d81949804bc29604ac2de2ac9f2d360deae54a39d28edfbc9b323868b619b059
b3d799fc625b259d9572ca933476c856f5cd821cde94e5360f1ea1921a6427ec
c1b6263682ff4c894af9df16a4f6c63bcd49248f2a580b3a3c86012d44388437
e8bc95bd3989e65c252e733adab5c16d51b18c19bccdab299d914cf6df922826
8987e10cdb8602039c7980d8a3d3736dbc9c65da17ffbc1a5844ae1da1d2ea9f
2016dcdb738fdd4dbcc09bad9e63604259b3b43ff2df2c9a5fc8d26d0cf6ca4c
ae1f2c8fd75695601dbe0f3b3fd00922495add9f623a81c0989c0fd17f10776b
5fc72e527c95078de299e57ba9a01084691efbc8cd9d4a5d5999db4506c6f46a
da09c2de0b3ff15f2a68fcb18c12bd974a1b67d282f09f0941a64d08d9af83a7
4f878a5470b9cd89d1db651b83471d169e825150b4063a1cce12ea0e747b187f
c3a388437fe334c0af827aaba2b9bbc4bd622b93faa6f8ecf39660e110a4affa
1c38daf9f1fd8cf3cc954ac18893d3d7cd9ebee75b49ce29fb885910d83740fd
ae5b981a55ba0eaa4cb03700d54e3a78799590691315b2973ef1e4e16b2e8c9d
bbce59cd09b98759f1e8de287441906c11a8698581e9a84e302626e48abc7c38
35e4bbcb475db082d2dda25b1e2acc001567abe7bbb4c0975827c800a529b2f4
2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732
fcc1683097894f7f965dcbb2abcd28e98f4ab15e925ceaa75ae35bcf0c88f372
b3811fa28d3e22cf5029476f6870c54e7fcd4d68da1342bb199ca6d41ed9ff56
a6821b8dbe19bb7e7b1b43e26f7a48c4b3ded583ff774e7a754b303af70ffe10
d2da367f408927aed9dc92251cc05f67a7032b9f59eafc1db59c1cc4aa71646a
4665c6ecef9d50ede04cfe2946684aead2040e9e1321d6324801e18673f67271
033533baa2ac7c6e43f18048aa02f5b150ab86384fd95fb4d49e58660f2c5d2f
3adaefb94e006670d66c9675ecf47b65a27bc39325bf96432c79ce47d473edcc
c4333322e47f6528c43a77936dea4bcf9230a3ec68c527d931d3c1c8f6232baf
1a166a2469e8634ab832469a47076affd97eec7d5b4855f33879960e559a235d
679e687ae1611a7eb7d00d06c9f8ae37b9168838c9ff9b822174f6b0de6304d0
b289fe67b0185e1ba0177f583675ce399772bf03fd813d47835c45427f71fbf0
b6209f2e0f32d7b0b3bc43b87bd3b44349ea80587db13d6d02ca6398d4459f6f
3e07d75e18bdabe5880fe8e4dbd5fad1b9d2c111ee6f43b35ddb5ff8286fd2e7
2484791ea3c160c3de266ebd831f707da64d5e5f31ed81270bf18947128d0933
ae53e378d16d207d5bf419aba715a89f84a0db8e7de1fb4ff0545d54cac1eb50
SH256 hash:
9293a89a735ea0244ef398ebaadc4d5fb93d97136251e9a2e5b3f38a4247315c
MD5 hash:
ecd28a3ad733e3bcb652b7f87213e74c
SHA1 hash:
d76a2697c51338d30f822a8ba8cc096963b5477e
SH256 hash:
cea00d86f41ab359274b9843161c4db355e0ee7c7e1ca5db277f8968b1b3835d
MD5 hash:
691cfa07610c2d9157e8e50f3b2bb282
SHA1 hash:
ae9083b465c0dfecf20da640ef3ef336e49fcb7a
SH256 hash:
9a2a9641cc1c5503509a769f56a719b5b529c2472a15eff64a56024fb1a11e3c
MD5 hash:
9e85f26c5574e74ebb44c8cb7bf58101
SHA1 hash:
52f6a3a5979f5537d199f8cad6c894f53f91ccfc
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
SH256 hash:
00f7a2f6f6aa920955b8102fbb0df70ed31a8e063f0da8b31297049236313590
MD5 hash:
ece1282592e596af33920d3ed64f5975
SHA1 hash:
78e76f5cf3ff68e4d5f214d9f4464384fb7534d7
Malware family:
FormBook
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.