MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce
SHA3-384 hash:	51f80c876fc4ebe8c4f662aa9931d2672f8298f18661fcaba0bd1ff054a6bedcc1ab6abdf1fabda05345ec16911786f5
SHA1 hash:	a01b85c6f3477d5870508401bf0b4b26cc141608
MD5 hash:	c0cb8402b1f4d35c839936512ca83cb2
humanhash:	south-cola-floor-vegan
File name:	SecuriteInfo.com.Win32.PWSX-gen.22631
Download:	download sample
Signature	Formbook Create hunting rule
File size:	935'424 bytes
First seen:	2022-09-06 10:45:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:tre/tfHGthrPoUWqnZL/UX/VbTNZf4H7ZbAyFncrBY:EpHGzrod8UX/VXGMNY
TLSH	T1D5151A0B21D40965C87251F8A4CCC5734BAA9E45E53BC949BFCA9CEFF192F6C42D22E1
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.22631

Verdict:

Suspicious activity

Analysis date:

2022-09-06 10:47:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1e3211a4-ba82-4f8c-b37c-896181f0225f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308155/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.22631.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/631724f72021c816b88face7/reports/dc274fc0-deed-4c83-8c73-3896bca4d226/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ef6c8c37-108f-41fb-94d4-0c64506be35c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1065568

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-09-06 08:58:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bn757b7k55fkzmvziq7fs6byicwl5b7kaggbjl3gahctcetbytha._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220906-mty4zabee7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

6ff4bf0414e5586713172d5bf2c5950bc340d4e7e5281c808238ad4854eb4fa5

MD5 hash:

649c8087ff6984851e56db65bd3cc3aa

SHA1 hash:

8aa2a8b9fd0a6607c816095f01743173f6aadb41

Detections:

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/7b4a96ee-a7fe-471e-8737-3b1b04c7d8a2/

Parent samples :

0606bdc61d15a75b3b5097cf82980bdba56af81b30af2a12f32beb1307be5791
043470f6b0a88a5fe3189b7dffa5f6e8bc5ebe639c9967049763c2387465060f
97b7577f2c05a98b53165ea7e9c90735e982332f6007b2dcdd47ed85ebd72ce2
0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce
23d2e10a52afae3224130b631f0e0642100346ebf9b06025326d78e5d43bb21c
885d3612f1d5f7b8067b8686d563985039f9adfc335950136ec6f42f77580d34
d5881bb367b8481bd0c089d687456d98073f61f47dd28f23fb70ca75cf888bd4
16a2b9e15cc4c305c50f9856d69a253c6ab1a69968d41fc6cf65de5f8861c57c
3eacbab11c9f00e94b06ad4feaf37264839faaddb10f611207ae44a460b5b6f6
4bfd8737e902286e9241b79d3099f85744194fa0c9a330ebe51db5c3e2e747a6
c3bceaed735d92dcc15f95ed452a184236e03cf317977ecb311c208b9f27451a
1eee0709877d020629b31a21104d218743150062a41db240b505f876963ae7aa
b1b75a5bc8ec385bb74f35172c1701e08ac29872653fc2f588873907650a1062

SH256 hash:

8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63

MD5 hash:

dbc7be56e6e32349315170599c8b333f

SHA1 hash:

d8e5840e3574b87d435e55a65ac648e040871aee

Link:

https://www.unpac.me/results/7b4a96ee-a7fe-471e-8737-3b1b04c7d8a2/

SH256 hash:

2fc86f917f2f3e60f8f06f1bd194119b008be8a6f3bf25ebe2546807cc865385

MD5 hash:

0236b3a9f0b6e6e5638c6af0741f711d

SHA1 hash:

94862fd2cc3ff27511f082a11f43afffc99131ef

Link:

https://www.unpac.me/results/7b4a96ee-a7fe-471e-8737-3b1b04c7d8a2/

SH256 hash:

2e218f925f289b6bf7645a0f5077b2064496890917a2d3390a59056004cdd8b2

MD5 hash:

e7dcf007dc3eb13983b02dca0e8565ee

SHA1 hash:

44e164ee1d73b69ee19ccf5e8ce2ddd8f3409e4c

Link:

https://www.unpac.me/results/7b4a96ee-a7fe-471e-8737-3b1b04c7d8a2/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/7b4a96ee-a7fe-471e-8737-3b1b04c7d8a2/

SH256 hash:

0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce

MD5 hash:

c0cb8402b1f4d35c839936512ca83cb2

SHA1 hash:

a01b85c6f3477d5870508401bf0b4b26cc141608

Link:

https://www.unpac.me/results/7b4a96ee-a7fe-471e-8737-3b1b04c7d8a2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308155/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample