MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5
SHA3-384 hash: 03cf56ae0da8a3f3188559c2c832eba1dc78dd2a3d17b7186c80f80288ea7d36efdcb14116823a6572eb51d4eb3936b8
SHA1 hash: df6f244d8eb374a20f913f5cf63a260f29c59d37
MD5 hash: b9d4aaa800f2472357b18a3675b3960a
humanhash: alanine-mango-maine-jig
File name:Parcel No; TNT 502379AWF_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:296'409 bytes
First seen:2023-04-17 09:12:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:jYa6pgrtaLZBANukFrXXuvp5oLUv91wktsFNbYEYShx5fg7v:jYn3+FrXXuvpIG7ztsFNkXSL5fMv
Threatray 2'614 similar samples on MalwareBazaar
TLSH T18E54120577A084ABEC724F751F7C996793B7AC160456E70B3394E90D3A327A1CB0A7B2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c89c98acacacbcac (31 x Loki, 23 x AgentTesla, 22 x AveMariaRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Parcel No; TNT 502379AWF_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-17 09:14:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d4fb7cd8-e286-4cb2-bc94-11fbb1a5aea6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/382751/
Detection(s):
Win.Dropper.Smdd-6956905-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80024/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/643d0da112f914d0711b4c44/reports/cd063d5b-84c8-4bed-8925-764cb69285d8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85e5ce04-13e8-404a-bb5b-0edd1ed8b584
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215062
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5/
Threat name:
Win32.Trojan.Garf
Create hunting rule
Status:
Malicious
First seen:
2023-04-17 09:13:09 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7sykywervwce26b3ro7pdpkhhr4xjlyiooxvuco2xkgs5ksr3sq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
43440434172d5730884fa5f0ae4f7ae73c4815e74618d18bc405d18dd325fed4
Formbook
85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510
Formbook
b32ed7458086ae3a05007a54d6660b9ce6382bd82af78c2c56f856ea6f2d95a3
Formbook
b3fe3de729e3bacd16f951173d7e42ec7fae5bf90909cece61e782282fd96ced
Formbook
b40dee218b4a54e4882c90f15a62a58dfbd216432ebaf9becca6a3bd6adc46ae
Formbook
b6b4defc23fd79807ed6c5a4e2a111465c3e444a6efd07e837fcfffa4a19b688
Formbook
c4ab14d93e54b2c6e70fa0f284cee729b56186894dfdff4207cbc3d0c690c80f
Formbook
cec7134d68d67d6f7ee0d32945f6ee4eafeb58a68c4769867f212ad879480c22
Formbook
ebce15ad53b98d7aba7f7544ee947e88f58d696e22ca4bc5d15b2ded37b577ac
Formbook
f5ae9ee403c63e78514c23cdb6297c09a5367c241f6151def5fe1fc096946de4
Formbook
+ 2'604 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230417-k6q8sadf42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
1ec556b9804a8195576bd569f55123e08c93406905b7fe66daadc5369d6c2dc3
MD5 hash:
62459803fbeef4fd6a4a096c937f9d70
SHA1 hash:
ec5a7eab356a72fe2da78f15922b35ae1b411ad3
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/522f0448-0ff5-4cdc-adf1-ae15b52a75fa/
Parent samples :
564bbf886f8ca5cb5674f3d073bc27faf96cd76e234eface059c53e676d8a6de
dd086f5b3e968fddaf79e87afc4f11d6e0c031e7c839e394b54b76c3f51c1f77
07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5
4e4db170fba9aaf6faf5e401a583f6d7811236f6df70eb76e3ccc6c4139c3f4c
81f8ce446b9d3e123d81d617d24cd593050befc695ba76636b548c066f0a9b1f
SH256 hash:
67e25baff0b3f7a1c113efcc745954458fec8a4f7a820602e79eac9d292d48c3
MD5 hash:
7534319157a5fee111d00c04db2ae29e
SHA1 hash:
5e2e6995a015088745da4a1a0cb119fadc1c9e69
Link:
https://www.unpac.me/results/522f0448-0ff5-4cdc-adf1-ae15b52a75fa/
SH256 hash:
e7a999c7a58aefbabd34d1efcb1e74a2e085e7cd4f8df5c4b7a6f7f9613acd5b
MD5 hash:
746bcaf6a2267c3b1a0fcc0885776beb
SHA1 hash:
d7cf00692be4a5cd16f577fbe5d3ea308d1c156b
Link:
https://www.unpac.me/results/522f0448-0ff5-4cdc-adf1-ae15b52a75fa/
SH256 hash:
07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5
MD5 hash:
b9d4aaa800f2472357b18a3675b3960a
SHA1 hash:
df6f244d8eb374a20f913f5cf63a260f29c59d37
Link:
https://www.unpac.me/results/522f0448-0ff5-4cdc-adf1-ae15b52a75fa/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/07e58562c48d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382751/

Comments