MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dbd5fe8345cdb46f5611862dc31279c99cd60bb4931e6d924f34e84519f35b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dbd5fe8345cdb46f5611862dc31279c99cd60bb4931e6d924f34e84519f35b8
SHA3-384 hash: a1c87b6822b5a2f57aaee33cd518aa70748a16e457a3d9dcb80fc5d405e4335a44266edd4dcbcaab020634134fc73920
SHA1 hash: 6acd233bd9cbcf3a0e665a88de9647f633da6c6a
MD5 hash: 356f615eb12a2da9a61483e51a42ceec
humanhash: west-red-six-hot
File name:Invoice 2796.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:696'832 bytes
First seen:2023-10-03 14:33:01 UTC
Last seen:2023-10-03 15:37:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:pGbiSAx5PWPQA0pWlBbsn3EWdzpIbXKL31SM1XlLSBsjzC0KeHoWbVtQ/tE:pG7Ax5uPg5+W3kMSBsjHR5tQVE
Threatray 8 similar samples on MalwareBazaar
TLSH T157E4020936BC457CE70ECA7E12B1144603FF6114AB54EA8A0F5B64CA6DE7363A706F86
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
298
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/651c2620426c8727d6e9a40f/reports/8a60eb8a-399f-40e4-9b4c-74e4f6a964a2/overview
Verdict:
Malicious
Labled as:
TrojanS.C5A2F73F
Link:
https://www.hybrid-analysis.com/sample/0dbd5fe8345cdb46f5611862dc31279c99cd60bb4931e6d924f34e84519f35b8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba9f6a2d-1c56-4850-9bee-5c66366c387f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1318788
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0dbd5fe8345cdb46f5611862dc31279c99cd60bb4931e6d924f34e84519f35b8/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 03:07:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 35 (54.29%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bw6v72bultnun5lbdbrnymjhtsm42yf3jey6nwje6nhiium7gw4a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05360352816fd2dfd09c05a57131f86c59fd38f7153c5261973216cf596ad077
Formbook
1ef0585dccde8a7c1fac3374d6d4db5abc92a24920f76b9063cfb1e5baa4f711
Formbook
3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d
Formbook
5452d5591e734d9e447e2daac94374327b1f81fd48c111b139f0bda6ffad2fc5
Formbook
616936befc6956ed76300f793de7f3954a102733b534b020060168cf711e53a9
Formbook
927d6879bbfa7b3ce300974d8721f89a7cbfd6978dc9b22339eec12fd424a460
Formbook
9fe145f64a6f2ed8283b9bfb1e97a3c93087d8495a53af984d619760c7d859a5
Formbook
e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/231003-rwva1sbf6x/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
263764d2b8499c8a110c07ad78d21348b2a430c5177acc4a55cc3da06f154345
MD5 hash:
d2a65b6ca0ee49d770b24009c6962c1d
SHA1 hash:
9c3e325e8b7b09d9a86c40b1dbcadff0497153d4
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
SH256 hash:
08372fb70ef35b9be3971632f048e1d3f6a476e2249ac7975850f1228a08719f
MD5 hash:
4f8efcbc6acbb9d8e642b4132ec6d9fb
SHA1 hash:
aea948f4f18ca129bca6a9d8596870364a34fa57
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
SH256 hash:
579f1b6c0db41078cb80363969d9cb2e0eb88d3489ffe9a9b575d1166d8c9ab4
MD5 hash:
831705729e879ec2a025d4d82e41e54a
SHA1 hash:
8aef16f8ff07a36aab60f55a1dfa2283dd3dae66
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
SH256 hash:
df4ae14aba1386482151a3b8cc58ef081c58306da7f4cc0c35e0718242cf043c
MD5 hash:
8383b9306b9b5929b0aed1f24991d929
SHA1 hash:
6acebb9f139a62de981a3ec15ce35f61f5c3132e
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
SH256 hash:
70c55b653edb30e469fdd422432131f625352bc46e12a9a633cff96e776adaef
MD5 hash:
3db78c1a315e94c972aeca9b8e21833e
SHA1 hash:
50ac4ac4b6c8927e96244dfe57113a1df7d06344
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
SH256 hash:
8c2bd6bc1fba7a01b4e62e5045552753469471ef7f58e5095f909a440c6b20c7
MD5 hash:
a24528a26f35b163cc52186c9d91d2cd
SHA1 hash:
abd1e51ddbc150c0986eb9d1b460c7bec01e8af5
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
SH256 hash:
ad564a439ff92948e0eb5724caee2e8a31fe8bd00702c3a4ce1a68bd095e01ed
MD5 hash:
d3c4672129da36665f7430ed46d5b3f4
SHA1 hash:
a59cb8d42ce87ee3999cbf54bd5338e3a4938f8b
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
SH256 hash:
87208cc8841717288d1c6d25628ef2138c4e44b3b49c97f236ba2085257ef970
MD5 hash:
3b9b8d28e6508b194d2297f6201607a4
SHA1 hash:
73aefc9ea90fdf23661f650add8b985cfbe71d6a
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
SH256 hash:
1f2849d290dfaa131ead5137ded6164d5adc0cbc6f77f67b4c93b4c909d37f16
MD5 hash:
37cba61c9e8c7d64d3a496d51e1325aa
SHA1 hash:
72f5b9942c1fd714d69b20295386f3c52a17ff9e
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
SH256 hash:
ac3e5a67f2f2ff760ac95d963be066dad4256c011b15fa722041a3a0ed2206f3
MD5 hash:
39cc3671ff8e23ba598f63bd18639133
SHA1 hash:
5abd5fd5724cce547e22e2a14a7b160f3afb3a4a
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
SH256 hash:
0f6c3c6a58e11d12afcc945e43745de5aab6158396f88d353701f4f88deff157
MD5 hash:
648c534c22d8f72789e1b7678907a2a4
SHA1 hash:
425a761b04f64584d7332db5ad62f258ee74369c
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
SH256 hash:
2c8a7cc79d5fe5682f43b0acbce5f6aa3b07da95d890a6e30e4abc9c479844bd
MD5 hash:
b90c6e5e599586213471e4079dcdd227
SHA1 hash:
0c1368cd955c36ca7d4f73dbf37316ef9785e0af
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
SH256 hash:
0dbd5fe8345cdb46f5611862dc31279c99cd60bb4931e6d924f34e84519f35b8
MD5 hash:
356f615eb12a2da9a61483e51a42ceec
SHA1 hash:
6acd233bd9cbcf3a0e665a88de9647f633da6c6a
Link:
https://www.unpac.me/results/2fbd29e5-aeb8-4ae2-99f2-84965733bcbf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0dbd5fe8345c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0dbd5fe8345cdb46f5611862dc31279c99cd60bb4931e6d924f34e84519f35b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar fb1850a9de283511c3d8cf8c54f2ac8f482281a393c3d25ef37c22e47aa295c5

Formbook

Executable exe 0dbd5fe8345cdb46f5611862dc31279c99cd60bb4931e6d924f34e84519f35b8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 fb1850a9de283511c3d8cf8c54f2ac8f482281a393c3d25ef37c22e47aa295c5
  
Dropped by
MD5 80af84261f1dc5ca1276251b85a70c96

Comments