MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cfc4a24356e2c51ac3513f44b2ab354b72bf131c334c0a5206e9c39dbf15104. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 15 File information Comments

SHA256 hash:	0cfc4a24356e2c51ac3513f44b2ab354b72bf131c334c0a5206e9c39dbf15104
SHA3-384 hash:	6ad437a7174f20876f7edc22a15899989fbbf7ae23c24034eda3354a3720371441b49da451433a74089da9a17f02cc68
SHA1 hash:	3f69ba5d6a0c7bea0a27e43c51acceda491b4aec
MD5 hash:	e2dac21e27262b1c524913ea075d39e8
humanhash:	red-wisconsin-solar-mountain
File name:	HSBC Payment Advice_pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	774'656 bytes
First seen:	2023-11-28 16:37:32 UTC
Last seen:	2023-11-28 18:15:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'793 x AgentTesla, 19'692 x Formbook, 12'274 x SnakeKeylogger)
ssdeep	12288:DGSQmbCp0IbfutupwkgTrEIH7ZsgSX7EXeU7qZOschnvChrv85JmHo:Gmtupwtx7Zs/wX97qZOscBChzIJIo
TLSH	T1EDF4E02837FD2F23E07947F94422196003FA79AE107DE6D81DC271DB25A4F18AA89F57
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

294

Origin country :

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/460996/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/6566176a6d3af19226744812/reports/be221b31-b726-4f35-af1e-b7150732b52a/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/0cfc4a24356e2c51ac3513f44b2ab354b72bf131c334c0a5206e9c39dbf15104

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/931fdf2b-0938-4fa7-b5e5-2618a08bd493

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1349425

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus detection for URL or domain

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0cfc4a24356e2c51ac3513f44b2ab354b72bf131c334c0a5206e9c39dbf15104

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0cfc4a24356e2c51ac3513f44b2ab354b72bf131c334c0a5206e9c39dbf15104/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-11-28 13:06:22 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 37 (59.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bt6eujbvnywfdlbvcp2ewkvtks3sx4jrym2mbjjan2odtw7rkeca._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231128-t5dezabe53/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

c04ddd6c59e5a7a09b14d6e7a63f631ebe8aaa95e082b02c549f156c55562ce9

MD5 hash:

57eeb622b1f517875f53865fa5b44d2b

SHA1 hash:

18638e3a645255de7a40b1a73e906b153e174bc8

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/3896877c-f842-4415-be3b-fa68eee988ad/

Parent samples :

c5444c85b810f99e008f31b9ea1b1a128df74044cacf326c27fe1937f5b45fdb
9cdf9666a5b359975ad0d1fff59120ff2d7aeeaf2b6491d528a815c6bc582e5d
0cfc4a24356e2c51ac3513f44b2ab354b72bf131c334c0a5206e9c39dbf15104
629fd7db8bf28b9a395d19bdc55296d3b9048c5d631659cb1896bd8f2a679a78

SH256 hash:

e08d0968bdf8a42150184fde0ac64cf29c60cd57ec968eec358c34698f4c4a3a

MD5 hash:

ffaac75fbfb4ba8cf9fc3cb7e9399344

SHA1 hash:

413ba56d78a56f06f466491c211068b46489ae0b

Link:

https://www.unpac.me/results/3896877c-f842-4415-be3b-fa68eee988ad/

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/3896877c-f842-4415-be3b-fa68eee988ad/

SH256 hash:

a5f59ea40cbc4644d3a86653910498f821f93127e032f8a769c42c5b18c13c70

MD5 hash:

fce17c1ad93811ace6bb41c7052f69bc

SHA1 hash:

cde25b7d243317025acf2d5f55dc473975373c7b

Link:

https://www.unpac.me/results/3896877c-f842-4415-be3b-fa68eee988ad/

SH256 hash:

2a0290a662e89a81ed2d9c73e54a0aeba209fc36617f134cf0aaa74690db47db

MD5 hash:

4820945deb84d6bd26460e8a6ba0c622

SHA1 hash:

c519540ad21594fa45fcc2e6e15cfbea8b3449b9

Link:

https://www.unpac.me/results/3896877c-f842-4415-be3b-fa68eee988ad/

SH256 hash:

06c7dc05b84e05b830ad4586c0a3704ddc93f12aedb85e735d1ce8d2f17aca14

MD5 hash:

6fb1bc2bc34329555d43b085ab474df7

SHA1 hash:

9cf2ac0cd1b5a2dfa85d33edfdcd797592e83952

Link:

https://www.unpac.me/results/3896877c-f842-4415-be3b-fa68eee988ad/

SH256 hash:

27b1a1f0fa96d3b9a8197e7000fedbce22af1e5f591c534037e958358885ee35

MD5 hash:

8952a4ebfb66dd7e3f2f23a27bff2738

SHA1 hash:

6b4d461cda3290c350bc1c50ad7b5b2aa3a59ee6

Link:

https://www.unpac.me/results/3896877c-f842-4415-be3b-fa68eee988ad/

SH256 hash:

ad4c81bc949e8614ca08552a7a56bdc4d2b15485c5fdafb2f628a23e5836b34d

MD5 hash:

81c1d950a251320d79d536dc18844c4b

SHA1 hash:

3461cf3f4f0572845afc480029a327a2f8a382ff

Link:

https://www.unpac.me/results/3896877c-f842-4415-be3b-fa68eee988ad/

SH256 hash:

c2e74df9b6c5d894ab06a4d121de5bfe7dc9524dad8735892d23d2de617719b3

MD5 hash:

8304d9aa97dbbee30a4540e703b873c8

SHA1 hash:

316359ac6bd91674100b1f2c77a05b73756daae7

Link:

https://www.unpac.me/results/3896877c-f842-4415-be3b-fa68eee988ad/

SH256 hash:

d3b8bc9ac49d7873ca2b5e87c8775e45ab6d6bba46805c62614d7fae7da2b710

MD5 hash:

4489691eadab507d8eb195fe5b6c9b92

SHA1 hash:

2c85fc875bf42da0ef82baa7f30ad5c9576565d1

Link:

https://www.unpac.me/results/3896877c-f842-4415-be3b-fa68eee988ad/

SH256 hash:

b14d840fb0742dcc5678d97d5f3a8fd264f2d27063dafdfdc9e08c88091a0b77

MD5 hash:

fb31a04cd95ffd118884a044d4ee52f4

SHA1 hash:

19b12524906eecabbabc1b5fdf14d44b39d25abc

Link:

https://www.unpac.me/results/3896877c-f842-4415-be3b-fa68eee988ad/

SH256 hash:

0cfc4a24356e2c51ac3513f44b2ab354b72bf131c334c0a5206e9c39dbf15104

MD5 hash:

e2dac21e27262b1c524913ea075d39e8

SHA1 hash:

3f69ba5d6a0c7bea0a27e43c51acceda491b4aec

Link:

https://www.unpac.me/results/3896877c-f842-4415-be3b-fa68eee988ad/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0cfc4a24356e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0cfc4a24356e2c51ac3513f44b2ab354b72bf131c334c0a5206e9c39dbf15104

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 0cfc4a24356e2c51ac3513f44b2ab354b72bf131c334c0a5206e9c39dbf15104

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/460996/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample