MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07a32665c106d4c5fab2625bda4d52f6c40b8137728f2ded016b90cad95a8545. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07a32665c106d4c5fab2625bda4d52f6c40b8137728f2ded016b90cad95a8545
SHA3-384 hash: 7b6887821d8f28eee6d609122ee09dfc89f475f745529a6aeb53558f217c99234cc9d708cd675124702780f7a60d57dc
SHA1 hash: c552321e3d53e9fd9a2fbb52bd77991112c86bc2
MD5 hash: 4ab43d402b20f8277d8182b67c0147d4
humanhash: delaware-fanta-fillet-kitten
File name:hesaphareketi-01.PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:259'365 bytes
First seen:2023-03-07 14:16:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:NYa672bt5A6DWUhcAHwvrpzmKW7hP2XCpG8:NYNctW6aUXHOrpzRwcS08
Threatray 2'383 similar samples on MalwareBazaar
TLSH T1E2441260BFF4E177D0AE0A709A3B26A2AFBB8E1611B0079B1750254CF953395F90E752
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0cc9c96929880a4 (2 x SnakeKeylogger, 2 x Formbook)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hesaphareketi-01.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-03-07 14:20:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/219dacc5-0842-4b3c-a9d9-39d135023d88

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372312/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.13796.28359.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/640747607f18ce9b01806489/reports/44d2212c-a4ee-46aa-9e55-6cdfc6bc4982/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/07a32665c106d4c5fab2625bda4d52f6c40b8137728f2ded016b90cad95a8545
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e5214d7f-6dd0-4308-ae6d-5180fadfd09b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1189009
Signature
Antivirus detection for dropped file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07a32665c106d4c5fab2625bda4d52f6c40b8137728f2ded016b90cad95a8545/
Threat name:
Win32.Trojan.Garf
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 14:19:08 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
14 of 39 (35.90%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6rsmzoba3kml6vsmjn5utks63caxajxokhs33ibnoimvwk2qvcq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
628aa31e938f6407d365b1c833953f4d5b696c08c55b2b9905e2ab6dd724039b
Formbook
79ae6681fe6fdf1d7810a3bf37811b7c49f706ca0f4c04ab719633f924f727ad
Formbook
7ac2e4aad0054c77e7a2205d156da7032021be264702c8fa76eab7ebc44556ff
Formbook
82bb5ca075a83da9c44b1a9214aa7590bf992d8206038b4f3edd6bd8230f966d
Formbook
82d448cb2461440d0ab1777690a41e228118c36961d8ee506ce94a9622b8af5d
Formbook
8aa4a5feee91f2caa993c9624153ee2ecbe97098fc7470a5103c408376b2a12a
Formbook
8dd634edea7c470fe551cc425ff6851db72af868b04b747e5c516d4743fa3055
Formbook
a3a3e10ea96961c3e5cc533be186a83f18fea89a5beb3074b04f4ee402c5f85f
Formbook
afbccae6537d0602edbc99ef03ec8b89ec23df241079f949c0b8a0aa6f9aa8f0
Formbook
c40dc41488efa6a5e4cb29e69880ad288f6d5a0af69522818239f5410ab807d7
Formbook
+ 2'373 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230307-rlp9bahg4y/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
891453521e4d5be2db00b02acb1eb12dc715cd545baf9e5790da8e25f5034d0d
MD5 hash:
9a4d6b7a38c220a48e875032bc934568
SHA1 hash:
ac3b0985db8ad4602d3cc33ed830cfc0d505b68e
Link:
https://www.unpac.me/results/a66828d3-6c91-49a5-be9e-869dcf60963e/
SH256 hash:
07a32665c106d4c5fab2625bda4d52f6c40b8137728f2ded016b90cad95a8545
MD5 hash:
4ab43d402b20f8277d8182b67c0147d4
SHA1 hash:
c552321e3d53e9fd9a2fbb52bd77991112c86bc2
Link:
https://www.unpac.me/results/a66828d3-6c91-49a5-be9e-869dcf60963e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/07a32665c106/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07a32665c106d4c5fab2625bda4d52f6c40b8137728f2ded016b90cad95a8545

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372312/

Comments