MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 096f3ff47b6726f118a0c5d11ccd29e49c65f3b3de7e10541b66d90b6212ff74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 096f3ff47b6726f118a0c5d11ccd29e49c65f3b3de7e10541b66d90b6212ff74
SHA3-384 hash: 005861ebc4db6b561190455cfc025ed61412abe93a2506bef5cfdc119f82deb3c616f6b8c1dccbe45a78ed7e84301e8c
SHA1 hash: 8681b6c6f97bf8419524e6c6c9f5a1b0b0e13f70
MD5 hash: d15da2055fa615ddebd55faee889c138
humanhash: iowa-pizza-high-glucose
File name:Yeni sipariş _WJO-010222, pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'123'328 bytes
First seen:2022-02-01 16:40:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:+mYL1hALE1dUSgxiD+hCLh5syuzE5FIZ8p+o4V4VOV:UxCLE1ViiZh5sTwDIZV
Threatray 13'009 similar samples on MalwareBazaar
TLSH T1B135F160B2968541F40B8F355468B56002B278D3A9C7DE376F68364ACFEEB9C2E4534F
File icon (PE):PE icon
dhash icon 851a98b4909864c4 (58 x AgentTesla, 43 x Formbook, 34 x RedLineStealer)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/229245/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Creating a window
DNS request
Searching for synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61f962a9a0f6a794b330e3ec/reports/f90d3581-87d1-4885-b552-d9459d3e2eaf/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29b415e4-01ee-49aa-8b86-e2ab48dfd266
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/931851
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 564325 Sample: Yeni sipari#U015f _WJO-0102... Startdate: 01/02/2022 Architecture: WINDOWS Score: 100 31 www.registelk.com 2->31 33 www.agoodhotel.com 2->33 35 2 other IPs or domains 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 8 other signatures 2->49 11 Yeni sipari#U015f _WJO-010222, pdf.exe 3 2->11         started        signatures3 process4 file5 29 Yeni sipari#U015f ...010222, pdf.exe.log, ASCII 11->29 dropped 61 Injects a PE file into a foreign processes 11->61 15 Yeni sipari#U015f _WJO-010222, pdf.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.cryptonometrix.com 104.21.16.104, 49786, 80 CLOUDFLARENETUS United States 18->37 39 www.cedarlandlumber-sauna.xyz 188.114.97.7, 49800, 80 CLOUDFLARENETUS European Union 18->39 41 6 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 53 Performs DNS queries to domains with low reputation 18->53 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 22->55 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/096f3ff47b6726f118a0c5d11ccd29e49c65f3b3de7e10541b66d90b6212ff74/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-01 16:41:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfxt75d3m4tpcgfayxirztjj4sogl45t3z7bava3m3mqwyqs752a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3006eeb75181a2fa43620dc3afde267f2d94d8578dba08906be1ee21e832ae27
Formbook
41baa5cad8fb3ecbaa97116421042ba41a024823638e9b7608c5ac2e2a339525
Formbook
502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2
Formbook
58fb47124bf49f4190852baec863af03f73216cbba65c7eaa527f6ec6612e42b
Formbook
5ec2107b1399b50f3ed23e72228f1a74ab9898191a23431c8a4cbff7b73af998
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
9de751536a55984df4e0686ff47bbe5553906d4b2e2559d7afc019fcb7d4eb4a
Formbook
b6766af1afb815c61741089760278a15e9089ae7b14a3537faa4ca6e4ebfdffc
Formbook
beccec456cf3e74a220ae1c8fa65cc0f4ddef57bee5d4f2ec71ad7b99da52369
Formbook
f582c02bb98e8313554fabf4fbe11f88157ae4f016f3680fb19d0b72d475e12a
Formbook
+ 12'999 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220201-t64njshhe7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Sets service image path in registry
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
2fd58331f1dfa74689b365133922606975ca02477e1578565bc71e8956881940
MD5 hash:
defa8402534d7b7584f45ec77073b364
SHA1 hash:
31d48298dba52699d180ad165538ce722bd00f47
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b1779ab0-14c1-4301-9b8e-5777ea3b3ed0/
SH256 hash:
6da8bc05a5934e78a12f588573e37baeec101b6ac3dc7490bcb8e500e4ef8f1b
MD5 hash:
e2398d42aa96f4fe565e99b06e62a608
SHA1 hash:
92465819753f30226302056565c97db687973a1e
Link:
https://www.unpac.me/results/b1779ab0-14c1-4301-9b8e-5777ea3b3ed0/
SH256 hash:
6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc
MD5 hash:
60a604887b3616e3ed86d81fab0a9ebb
SHA1 hash:
8db84f5f4c569c86c69aff464b2ffc4ce3dafa20
Link:
https://www.unpac.me/results/b1779ab0-14c1-4301-9b8e-5777ea3b3ed0/
SH256 hash:
096f3ff47b6726f118a0c5d11ccd29e49c65f3b3de7e10541b66d90b6212ff74
MD5 hash:
d15da2055fa615ddebd55faee889c138
SHA1 hash:
8681b6c6f97bf8419524e6c6c9f5a1b0b0e13f70
Link:
https://www.unpac.me/results/b1779ab0-14c1-4301-9b8e-5777ea3b3ed0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/096f3ff47b67/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/096f3ff47b6726f118a0c5d11ccd29e49c65f3b3de7e10541b66d90b6212ff74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/229245/

Comments