MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b95079721d911f26b4f72076c2221a3384607bc64d59e80fe8feccb988f0b8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b95079721d911f26b4f72076c2221a3384607bc64d59e80fe8feccb988f0b8d
SHA3-384 hash: a6b5654b23abe5f181b6e1c5133ed1a6e1e41a578ec107bca8c34245fee0d4cc58c1f6205d864d94e72051d1a862dc01
SHA1 hash: 10b62524f8ca174fe6dc117f655286961366ae85
MD5 hash: 747e504dbd30a86838ecc4fdcfa6c2a1
humanhash: beryllium-nitrogen-jig-sink
File name:Fatemeh Aghajani Resume..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:849'920 bytes
First seen:2024-11-05 09:52:43 UTC
Last seen:2024-11-05 11:21:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'604 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:G7OaabHiSPRJbwvIShkSRz3Vxfin8zS9F+QQDrm:HaabHpJJRiRzFx6n8zSHiDr
TLSH T13205ACC03A367B29DEB95BB59924DCB003B51A68B045FAE65EDE77C7309D7106A08F03
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
388
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fatemeh Aghajani Resume..exe
Verdict:
No threats detected
Analysis date:
2024-11-05 09:54:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e7edabd7-1091-4f7d-af76-1c32da7891f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.14631.17705.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6729eb0249e92a05dde2ff5c
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/6729eb02d9908c065a7f889e/reports/32a8542d-d4b1-42db-b028-ee1d97125682/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/0b95079721d911f26b4f72076c2221a3384607bc64d59e80fe8feccb988f0b8d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9f89cb3-4af1-41b0-9295-d493f72b3dbe
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1549112
Signature
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0b95079721d911f26b4f72076c2221a3384607bc64d59e80fe8feccb988f0b8d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b95079721d911f26b4f72076c2221a3384607bc64d59e80fe8feccb988f0b8d/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-11-05 06:34:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bokqpfzb3ei7e22poidwyirbum4emb54mtkz5ah6r7wmxgepbogq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/241105-lwmchsyfkf/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e3116cec-88c4-4e86-8451-5a8e2969fed5
Unpacked files
SH256 hash:
c198a717e8488338151f58c08e2ff509140353e8734cedff2e1503c79351a849
MD5 hash:
bfe4e05b025cccb4426cf923707edef4
SHA1 hash:
b3755f7b33e8cc1d1306f4c1bc2718625829fd6e
Link:
https://www.unpac.me/results/e10cfe01-7007-4788-9912-32aee158912f/
SH256 hash:
36c84da3bd9d150405848e402f85c6a076d4dbb26c15a271b9a5fcadc8f9db60
MD5 hash:
789fb43f70dff32453bdac096bfdcbd6
SHA1 hash:
fbf275dda597ee882410fc4709517d48b4adb8e0
Link:
https://www.unpac.me/results/e10cfe01-7007-4788-9912-32aee158912f/
SH256 hash:
ffa94c3bc0c9958ba046069aad120e65b00806affabd71fae1547235f5402c29
MD5 hash:
104ffd21b45e70a98bbb44e73d0539c9
SHA1 hash:
7705fcad21ef45c29cb1b292625220c4856db516
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e10cfe01-7007-4788-9912-32aee158912f/
SH256 hash:
4274f476a586c71825a2282a6d498f678255b6df359e53f5269dc4e08df9b70e
MD5 hash:
e0c595caa80dd7dc92ed3d7ead9eaedd
SHA1 hash:
077ebd09bc62ebaf37f8fe774521c3e420d527eb
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e10cfe01-7007-4788-9912-32aee158912f/
SH256 hash:
0b95079721d911f26b4f72076c2221a3384607bc64d59e80fe8feccb988f0b8d
MD5 hash:
747e504dbd30a86838ecc4fdcfa6c2a1
SHA1 hash:
10b62524f8ca174fe6dc117f655286961366ae85
Link:
https://www.unpac.me/results/e10cfe01-7007-4788-9912-32aee158912f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b95079721d911f26b4f72076c2221a3384607bc64d59e80fe8feccb988f0b8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0b95079721d911f26b4f72076c2221a3384607bc64d59e80fe8feccb988f0b8d

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments