MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bf294fa8036aaa1c481756b521a5d30093b7bb588b0b8842456bf9d3443ea1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	0bf294fa8036aaa1c481756b521a5d30093b7bb588b0b8842456bf9d3443ea1f
SHA3-384 hash:	dc8bc6401bf8a0ffecca28dc150648cc9b9cff416497051b25a3fd1190497755ee571f0028c4674c7f9c622d3db614b4
SHA1 hash:	b768ca125a05ade5b56db6beed6678a33e8fe99e
MD5 hash:	e801d071e8274eebc86328b45c5d1e80
humanhash:	colorado-low-wisconsin-spring
File name:	Purchase Order.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	660'992 bytes
First seen:	2022-07-04 04:18:04 UTC
Last seen:	2022-07-04 04:33:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:PRHDbtY642Px8zYlr+WozZ6diqGfaYwD8qNdKttHtGjNbAGtH:pHvtY6pywToPqGiYwoM0tNGR
TLSH	T19DE4F16DFFA6EA12C2581673C0D2542843B1B94A512AEF5B378D139A5E43373F8C178B
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

257

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.8598.26178.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62c26a733298ebd789058d6f/reports/ebdd2b81-908b-4690-90a9-c586f5983c79/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/729189a6-64d3-4440-aa4b-65113fcd54cc

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1023838

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0bf294fa8036aaa1c481756b521a5d30093b7bb588b0b8842456bf9d3443ea1f/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2022-07-04 03:58:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bpzjj6uag2vkdrebovvvegs5gaetw65vrcylrbbek27z2ncd5ipq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ir93 rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220704-exhmdsgfd5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

021bff5b7497f63714d88ed6427f6cea7be0adddfbb70ae66ea080cc68be5b9f

MD5 hash:

5b7a6ab6df7c1f5150baf0fca6cd53f1

SHA1 hash:

d8db78fd1247abc3f6e75be029a07b0d4003c907

Detections:

win_formbook_g0

win_formbook_auto

FormBook

Link:

https://www.unpac.me/results/59d034f8-6137-4582-ab66-1ff4eefdc83c/

Parent samples :

788ea00a409b014057ab3e26da71161e4eacec9478e45a836cfca6eb34d6d152
afebe2a58337e50acfaadf900888c90195c2e50127b281d04aa3d799474ca43b
1cb9eb0fbed2683a2623dca8243a9be47affff1b33b8c86e09a2b64f0d55a9b2
e04d6d60473e9bf2f221aa9d8d2d7afc5a58e6c11af9cd79fe65f76c4482267e
abb347ac140c2ba551fe45121675aa273b9ea265337baa3e54aa4b93d2fb6db6
6d901c28cdd7de9753e4876a2f981ccddc9005095bf55b4503799dac8b7f0711
0bf294fa8036aaa1c481756b521a5d30093b7bb588b0b8842456bf9d3443ea1f
3f6c93773e47afcf964b6d01313d63b90dcdb8ac227cd7bb80b232fc924f5aac
9b218187a67d77dca325631770b6b85686b8eeec2cceaa6dd8f5c9db37af6432
9bccba2dd88df736c04d6d657879abe5b3bee28103aecedbba19b91b684d43af
538caa87df986328d0ed89dae0510619173071244c6e7977f4abbdcd29af3c17

SH256 hash:

152bc14bde2b9548f848dea10e8fea411640440400354b06caf42d39c32c8403

MD5 hash:

4facc828c34ad63bae2ff4cde1b99223

SHA1 hash:

c44e094e5ba9b1242ed71a4b7af5259ef8da9495

Link:

https://www.unpac.me/results/59d034f8-6137-4582-ab66-1ff4eefdc83c/

SH256 hash:

70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca

MD5 hash:

30d61a3a3e26c2bca2eb766990132d7c

SHA1 hash:

94f9742d5f21b13f7d8d194fe938193cbb6a0d4d

Link:

https://www.unpac.me/results/59d034f8-6137-4582-ab66-1ff4eefdc83c/

SH256 hash:

e3722f75a20ed53330e571c00995618f44254e2f31d2df8fce8f9efe73d4e3ff

MD5 hash:

f855e26a5aa9b1aacb33ee66e28c541e

SHA1 hash:

842d7d97d876cfaa8fd9f645d51a04f1ef3c5581

Link:

https://www.unpac.me/results/59d034f8-6137-4582-ab66-1ff4eefdc83c/

SH256 hash:

3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae

MD5 hash:

9ea556e333e216a65aa09c102f36004f

SHA1 hash:

814c07f1dc68bd61840384aac3aa8346d9f8148f

Link:

https://www.unpac.me/results/59d034f8-6137-4582-ab66-1ff4eefdc83c/

SH256 hash:

035457cc4f773b7af8b5b204c85b52da7aaeba7bcee3659f7619906a8303969b

MD5 hash:

a6df93074154f30f2ad9e326617cda04

SHA1 hash:

5571741902c941109a7d94c0e91ce70322920999

Link:

https://www.unpac.me/results/59d034f8-6137-4582-ab66-1ff4eefdc83c/

SH256 hash:

0bf294fa8036aaa1c481756b521a5d30093b7bb588b0b8842456bf9d3443ea1f

MD5 hash:

e801d071e8274eebc86328b45c5d1e80

SHA1 hash:

b768ca125a05ade5b56db6beed6678a33e8fe99e

Link:

https://www.unpac.me/results/59d034f8-6137-4582-ab66-1ff4eefdc83c/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0bf294fa8036/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 0bf294fa8036aaa1c481756b521a5d30093b7bb588b0b8842456bf9d3443ea1f

(this sample)

Dropped by

formbook

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample