MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ab6083c712635593c1f3229fc3ea45bde80031f5cb43042c250b3a4b99ffee4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ab6083c712635593c1f3229fc3ea45bde80031f5cb43042c250b3a4b99ffee4
SHA3-384 hash: f4827e657da98614bcae189401f24391ec025bc0ec67baa53c12eeb00bb2b2185115428c408901c48cf04acaaaefc856
SHA1 hash: e084e5663d702da7d3eb6b6fa65929c52951f824
MD5 hash: d947d150ed7e25ece3d9ddfebfd5bf06
humanhash: princess-angel-table-river
File name:INVOICE-DRAFT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'194'496 bytes
First seen:2022-08-01 10:01:42 UTC
Last seen:2022-08-01 13:06:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:MH2iNSg6SKlpxaiCn4ODqdLt+/hi/CvKXTpcLaAHttouW7SZ:o1SLlpxz2oZWlvKTpcLaANtouW7SZ
TLSH T1B5456B299D75D40BC0076EF52A68DA3610142F7C6B06812235F9B5EEF6323EB58A3D3D
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0f0e8e8e8e892a8 (7 x Formbook, 3 x AveMariaRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SPAM.zip
Verdict:
Malicious activity
Analysis date:
2022-08-01 13:04:45 UTC
Tags:
trojan opendir exploit CVE-2017-11882 loader encrypted formbook stealer
Link:
https://app.any.run/tasks/622fdd69-41d0-4dc3-abaa-ed6336c58542

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295535/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e7a4da6336465f2a00a868/reports/7b40767b-e284-4760-a0ef-f8bb90203e2a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95628b7d-8f8d-4dcc-a0f3-22c11894abc4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1044089
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 676583 Sample: INVOICE-DRAFT.exe Startdate: 01/08/2022 Architecture: WINDOWS Score: 100 39 www.graymattersworks.com 2->39 41 www.cocoaslimparati.store 2->41 43 2 other IPs or domains 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AntiVM3 2->49 51 7 other signatures 2->51 9 INVOICE-DRAFT.exe 7 2->9         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\qEggUVSmROjcLY.exe, PE32 9->31 dropped 33 C:\...\qEggUVSmROjcLY.exe:Zone.Identifier, ASCII 9->33 dropped 35 C:\Users\user\AppData\Local\...\tmp3667.tmp, XML 9->35 dropped 37 C:\Users\user\...\INVOICE-DRAFT.exe.log, ASCII 9->37 dropped 53 Uses schtasks.exe or at.exe to add and modify task schedules 9->53 55 Adds a directory exclusion to Windows Defender 9->55 57 Injects a PE file into a foreign processes 9->57 13 INVOICE-DRAFT.exe 9->13         started        16 powershell.exe 23 9->16         started        18 schtasks.exe 1 9->18         started        20 INVOICE-DRAFT.exe 9->20         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 13->63 65 Maps a DLL or memory area into another process 13->65 67 Sample uses process hollowing technique 13->67 69 Queues an APC in another process (thread injection) 13->69 22 explorer.exe 13->22 injected 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        process9 process10 28 explorer.exe 22->28         started        signatures11 59 Modifies the context of a thread in another process (thread injection) 28->59 61 Maps a DLL or memory area into another process 28->61
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0ab6083c712635593c1f3229fc3ea45bde80031f5cb43042c250b3a4b99ffee4/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 10:02:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bk3aqpdrey2vspa7giu7ypvelppiaay7ls2daqwckcz2jom773sa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220801-l2sfqagcfk/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
ac60c7fd8363b2189ca63e75c54932d726d4d16794dbd645fdc23f2b8003203f
MD5 hash:
2a105f3926cec84e6b8431b15816d7e0
SHA1 hash:
c1d45b4bef146ae05ae4798e96002a71c1936213
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ac7df1d1-1893-4ee3-8727-30cec4f20cea/
Parent samples :
758a693619b82e4c0188bddba10021226d25697b0bc1b397f911bcaf2a44222a
0ab6083c712635593c1f3229fc3ea45bde80031f5cb43042c250b3a4b99ffee4
c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a
SH256 hash:
cefe87a0de015dc44dc1086458460be07edba8d9f7211c4bed8a11809d520a72
MD5 hash:
0403b7f4765e08a2f74690caf1a82990
SHA1 hash:
b0e9f69b8c337b605edecdcc3345c6f0045ee04e
Link:
https://www.unpac.me/results/ac7df1d1-1893-4ee3-8727-30cec4f20cea/
SH256 hash:
c453f891b7e9bc521064b6dd6377e974868b1376ee519b9c42228ba59cced0ad
MD5 hash:
37cea074d2daa9f51c26212b207402f4
SHA1 hash:
f0f3dd6625fc8f4bcedaedef5626e48f501001d2
Link:
https://www.unpac.me/results/ac7df1d1-1893-4ee3-8727-30cec4f20cea/
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/ac7df1d1-1893-4ee3-8727-30cec4f20cea/
SH256 hash:
a9c5b2c628a47247402ff05d399855caf6f6a22146d44cd0fd9d7fc05a65ba66
MD5 hash:
228ff1006be83039e4de2b5e0475a5b0
SHA1 hash:
3adef5cc343067fa6b9d5e712114dc619c867a72
Link:
https://www.unpac.me/results/ac7df1d1-1893-4ee3-8727-30cec4f20cea/
SH256 hash:
cc6446a98155b4fc49806b710ac427c00d5480a113e4e7d7b6caa26ba1763844
MD5 hash:
d5a4c97ba77367fff59929dd3b57bf94
SHA1 hash:
371d73c1925d2d347c3277fea8d04a0b8d48d90c
Link:
https://www.unpac.me/results/ac7df1d1-1893-4ee3-8727-30cec4f20cea/
SH256 hash:
0ab6083c712635593c1f3229fc3ea45bde80031f5cb43042c250b3a4b99ffee4
MD5 hash:
d947d150ed7e25ece3d9ddfebfd5bf06
SHA1 hash:
e084e5663d702da7d3eb6b6fa65929c52951f824
Link:
https://www.unpac.me/results/ac7df1d1-1893-4ee3-8727-30cec4f20cea/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ab6083c7126/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ab6083c712635593c1f3229fc3ea45bde80031f5cb43042c250b3a4b99ffee4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0ab6083c712635593c1f3229fc3ea45bde80031f5cb43042c250b3a4b99ffee4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/295535/
  
URLhaus
https://urlhaus.abuse.ch/url/2263542/
  
URLhaus
https://urlhaus.abuse.ch/url/2263544/

Comments