MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cc7962edb5360efdaefae56eeee07f8c70aa2107663f92442df041509e82e93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cc7962edb5360efdaefae56eeee07f8c70aa2107663f92442df041509e82e93
SHA3-384 hash: 1d8cc828857e5349059227cab6fa64dbcf5dd132e9773b5402ab395a91a46058d4cd4608c5cde8fa4320ca57767096df
SHA1 hash: 26128b0684a819e3488158d040c4d1b906ff473d
MD5 hash: d6a51d185e394a8e26bd1a29406d283a
humanhash: lactose-delta-quiet-spaghetti
File name:Purchase Inquiry.Pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'270'784 bytes
First seen:2021-07-28 11:44:48 UTC
Last seen:2021-08-09 19:43:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:kYgueCmKTMOsBgo0q4wMzXtOuuX1tvYUkyj99IvAd:kAT1oHMzXtOV1t+yU4
Threatray 7'012 similar samples on MalwareBazaar
TLSH T14E457C787BFD2A0AF0BB577E5074C1B24674B466EA12C32D791272CB0A32359C25D72B
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Inquiry.Pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-07-28 11:49:20 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/34b09936-8132-4962-8867-b54000eea0e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174632/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.953-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/708da29d-bd90-4e35-8450-e293437272ca
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823037
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455447 Sample: Purchase Inquiry.Pdf.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 13 other signatures 2->56 10 Purchase Inquiry.Pdf.exe 7 2->10         started        process3 file4 42 C:\Users\user\AppData\Roaming\PnjbjcWjC.exe, PE32 10->42 dropped 44 C:\Users\user\AppData\Local\...\tmpDAA5.tmp, XML 10->44 dropped 46 C:\Users\...\Purchase Inquiry.Pdf.exe.log, ASCII 10->46 dropped 66 Adds a directory exclusion to Windows Defender 10->66 68 Injects a PE file into a foreign processes 10->68 14 Purchase Inquiry.Pdf.exe 10->14         started        17 powershell.exe 24 10->17         started        19 powershell.exe 24 10->19         started        21 2 other processes 10->21 signatures5 process6 signatures7 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 Queues an APC in another process (thread injection) 14->76 23 explorer.exe 14->23 injected 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        process8 dnsIp9 48 www.purisopropyl.com 23->48 64 System process connects to network (likely due to code injection or exploit) 23->64 35 svchost.exe 23->35         started        signatures10 process11 signatures12 58 Modifies the context of a thread in another process (thread injection) 35->58 60 Maps a DLL or memory area into another process 35->60 62 Tries to detect virtualization through RDTSC time measurements 35->62 38 cmd.exe 35->38         started        process13 process14 40 conhost.exe 38->40         started       
Gathering data
Threat name:
ByteCode-MSIL.Infostealer.Snakkel
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 11:45:06 UTC
AV detection:
13 of 27 (48.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=btdzmlw3knqo7wxpvzlo53qh7ddqviqqozr7sjcc34cbkcpif2jq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
031af74c61339ca40eda7563268d9e2e2803064c141d3c46eb20acad3764f4cc
Formbook
107f0cce39dcfa85508fd5d256fa0515b6e27f554628e2ca4400af9dc2a5dcae
Formbook
1d500cd661df7071f1ff76b19067cef40b5a0ab4b4a9ac26425dcdbac6eb7e7e
Formbook
1f108a10b866def65686fcb0e0c10612152288ea1f7a6158e5ada37f26d03265
Formbook
311c2667d094e51f0ad2596333a243ca6296d25c07223abf95af0256ed7aeb97
Formbook
4d2ca668cdde851a6389ee4d0fb089d3e125e2d951dbd7201767174ecafa66ad
Formbook
96e8216c941bcea44a0c6d68019cec29c0bc8bf58cc8a20d61fbbf286c0f3ddd
Formbook
d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138
Formbook
d0b2bc00645de803a4e9df303539995ee8f781631684b04fe67ee7e01bcf9c21
Formbook
d4c16c1a6aff7397ae843c9be4450185d6d6ebe8e5fbc544a5b355fb41b2a49d
Formbook
+ 7'002 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210728-2kr79ykfx6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
CustAttr .NET packer
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.papablogzzi.com/obow/
Unpacked files
SH256 hash:
49886c9e6db219f1d49e6319d094ae6825b6638420ae06feae3462731eca2d64
MD5 hash:
0151b2630b0498fc40f6cd1a6ec61b21
SHA1 hash:
d0f74b8a35d8d02985cc5bbeab409a9c8677ccee
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/39871419-c8b4-4392-b15b-9041814f5957/
Parent samples :
0cc7962edb5360efdaefae56eeee07f8c70aa2107663f92442df041509e82e93
6d1b20a3efb84a54e22da5d00f24f03b213ecf73cf429409c46b1f20bf5e8ec5
f567b5072eeb0de2b0c5b921df391ff7ea75996450a39a9eb3202b3eeb33232f
SH256 hash:
b445fe0d0ef61fee8eb00acaa0f9b03a2466a7cacec228036f0337f37485dd54
MD5 hash:
606effe14c0ee1511962ba40b42e239a
SHA1 hash:
8e3f842c2e89c7e7a297e5322bd29cd7ed1a2140
Link:
https://www.unpac.me/results/39871419-c8b4-4392-b15b-9041814f5957/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/39871419-c8b4-4392-b15b-9041814f5957/
SH256 hash:
9fe7d248aea1954384869bc453828080cea34a38cd5832915d409ccaa87c4e63
MD5 hash:
76f8f9058f30f9c975c3a6d1c9d94e35
SHA1 hash:
3fdf2e091869c31e1bacbf166a60fe0dd79ae773
Link:
https://www.unpac.me/results/39871419-c8b4-4392-b15b-9041814f5957/
SH256 hash:
0cc7962edb5360efdaefae56eeee07f8c70aa2107663f92442df041509e82e93
MD5 hash:
d6a51d185e394a8e26bd1a29406d283a
SHA1 hash:
26128b0684a819e3488158d040c4d1b906ff473d
Link:
https://www.unpac.me/results/39871419-c8b4-4392-b15b-9041814f5957/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/0cc7962edb5360efdaefae56eeee07f8c70aa2107663f92442df041509e82e93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174632/

Comments