MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0730056cbfb7cd86025fcd5b99f94dda7829e33c768efdd11c335b47a281dfda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0730056cbfb7cd86025fcd5b99f94dda7829e33c768efdd11c335b47a281dfda
SHA3-384 hash: 8fea4fc3203e1c2a317add3943151c684624662638029ff9369d710c2344c23b3bb3580795b0fd9f939934e5c14c8df5
SHA1 hash: 1a1252981e0dfe2b29ad36459621ac78e24b3eb1
MD5 hash: a10ef8944a8b06a48be58f693cbc19b5
humanhash: butter-eighteen-harry-beryllium
File name:Sipariş Sorgulama #11032019,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'026'560 bytes
First seen:2021-12-15 10:10:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:nIXdFP0hIEtK7gNPzPXRXZ3aUTi0vAQN+5eDrkGXr:nXv47GEkV7
Threatray 12'464 similar samples on MalwareBazaar
TLSH T19025125337B4C91AF29E3F77166290042B387C666A56D79F7CCC3C8D017AB842286B97
File icon (PE):PE icon
dhash icon 31d89c92929ed831 (19 x RemcosRAT, 6 x Formbook, 2 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sipariş Sorgulama #11032019,pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-15 10:21:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/57496351-8317-4ddb-b0b9-ac635aff2b78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214294/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a window
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61b9bf3a45ca64e57f113360/reports/7cb136c5-6c65-4c80-a54b-f364cdd059fa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7d05815-08bd-46f0-b7e2-75674923ed7b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/907747
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 540224 Sample: Sipari#U015f Sorgulama #110... Startdate: 15/12/2021 Architecture: WINDOWS Score: 100 36 www.geta1fromday1.com 2->36 38 www.fflashes.net 2->38 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 6 other signatures 2->50 11 Sipari#U015f Sorgulama #11032019,pdf.exe 3 2->11         started        signatures3 process4 signatures5 60 Injects a PE file into a foreign processes 11->60 14 Sipari#U015f Sorgulama #11032019,pdf.exe 11->14         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.taoshijuan.com 168.76.77.146, 49816, 80 ULTRANETSERVICOSEMINTERNETLTDABR South Africa 17->30 32 www.1723c.com 168.76.78.30, 49826, 80 ULTRANETSERVICOSEMINTERNETLTDABR South Africa 17->32 34 5 other IPs or domains 17->34 40 System process connects to network (likely due to code injection or exploit) 17->40 42 Uses netstat to query active network connections and open ports 17->42 21 NETSTAT.EXE 17->21         started        24 autochk.exe 17->24         started        signatures10 process11 signatures12 52 Self deletion via cmd delete 21->52 54 Modifies the context of a thread in another process (thread injection) 21->54 56 Maps a DLL or memory area into another process 21->56 58 Tries to detect virtualization through RDTSC time measurements 21->58 26 cmd.exe 1 21->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0730056cbfb7cd86025fcd5b99f94dda7829e33c768efdd11c335b47a281dfda/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 10:11:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a4yak3f7w7gymas7zvnzt6kn3j4ctyz4o2hp3ui4gnnupiub37na._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1bdc41058e53e885ccf81cf42ddac59733b6608f40719017dde98ac33ed8b8f5
Formbook
2edd9500d065d10587fcb4f5551095e420c40f3bc5e406dd74bf23f954e01ada
Formbook
3d9b01acd650801e9f3ff8b3c0676b00d7c58efcfa53ab922cd1642b4a963d96
Formbook
4abb8e36aa5fded1bf28926b9e2b079367504d66aff162dedb480a1f90b71517
Formbook
5f5195f363ef21135a5b5298c2a3576bd03125eec094d769b25296eb0a2605b9
Formbook
81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596
Formbook
cd1a6d25a6ecd13b937b860ddbe024fa1927d9ca766121d54eac046c5511cad4
Formbook
d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2
Formbook
ede0725557e08c21c523681648ace4a5b9d7b3dcfc29f4cda7db92c80b61f038
Formbook
fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e
Formbook
+ 12'454 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211215-l7x86aabhr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
24fd920afbc6e9e13879bea2f457ee33083b323079fd57364b1c12f6148a8e04
MD5 hash:
b0f67a40aaa0559dd5da703ba762c1e1
SHA1 hash:
abbea105a8b7f27293f5499a37db372c5934572c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/da54ac66-67f3-4adf-b334-c84614133cc1/
Parent samples :
9da380610110986e6d1d902e4e0cae2fa00f81380d501461bed8d57f9e92b26a
1c960c3a6713b6964b98334618b02f3b2d7b134f63841f7d621efa7e9bb5f2fc
549d64bd9bc60269b7536f13659e902bc284f3fe586e5fe2d6e9720be7643505
f80774cd7c699a392d2824b7b645a95fa0864d5a73c867999b0c5640d3011aa0
0730056cbfb7cd86025fcd5b99f94dda7829e33c768efdd11c335b47a281dfda
SH256 hash:
f8ee3ec61da05401295cfc650a604dc644a16a8d7afc9f090cd9f7a0d9300317
MD5 hash:
7e9f1e09d0aa634d949c26737c26ff3c
SHA1 hash:
cb6b35efc98d0656148907ce56268a964556664d
Link:
https://www.unpac.me/results/da54ac66-67f3-4adf-b334-c84614133cc1/
SH256 hash:
17ba59f9d4f15183eb5bf70b797a15b0975b6ef77ac9fec2d6e1c467de83a202
MD5 hash:
3d2b62acbe7636fbb3cf807603eea770
SHA1 hash:
1d2fb73e5c19533c06cbfe53ce3022da9de10d08
Link:
https://www.unpac.me/results/da54ac66-67f3-4adf-b334-c84614133cc1/
SH256 hash:
0730056cbfb7cd86025fcd5b99f94dda7829e33c768efdd11c335b47a281dfda
MD5 hash:
a10ef8944a8b06a48be58f693cbc19b5
SHA1 hash:
1a1252981e0dfe2b29ad36459621ac78e24b3eb1
Link:
https://www.unpac.me/results/da54ac66-67f3-4adf-b334-c84614133cc1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/0730056cbfb7cd86025fcd5b99f94dda7829e33c768efdd11c335b47a281dfda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0730056cbfb7cd86025fcd5b99f94dda7829e33c768efdd11c335b47a281dfda

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/214294/

Comments