MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e39ef64479fdca265d7a41809af208aa2720d8d3895187b5f8f7ea5370018bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	0e39ef64479fdca265d7a41809af208aa2720d8d3895187b5f8f7ea5370018bc
SHA3-384 hash:	d4ad7ba5c10153e770516b31203fa446b5fb92c7e19f6094bf6bb71b642abcdfc6c5a7d6238e64070f10103c342b10cc
SHA1 hash:	7eb908c9870c5d79b0a74c68c2c59602cd97c302
MD5 hash:	2437236f8d10cf09961dccc847f8b284
humanhash:	bravo-alanine-north-neptune
File name:	Product Catalog and Price_pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	743'424 bytes
First seen:	2022-03-09 10:45:09 UTC
Last seen:	2022-03-14 12:10:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:2rRcECaZ+v0AkwL9gUAyjtpZziLI0cZmfP5erBl6ZlCurmwl1eue4w7k0QZXN9Tu:2OEmvx+TyjTZMcIHErXU
Threatray	14'757 similar samples on MalwareBazaar
TLSH	T134F4D59C312031DEC96BD6759AA81D68FFA03C7B831F511B902731AD9A7C987CF245B2
Reporter	pr0xylife
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/248584/

Detection(s):

SecuriteInfo.com.Trojan.MSIL.Noon.lc.12698.2297.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Launching a process

Searching for synchronization primitives

Launching cmd.exe command interpreter

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit obfuscated packed

Link:

https://www.filescan.io/uploads/6228856cb94fb38cb446a0ff/reports/6e78e840-db97-4526-bb17-b38803787fce/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f78a5da-9e5c-4bee-ae27-7f7ad6d81e66

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/953212

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/0e39ef64479fdca265d7a41809af208aa2720d8d3895187b5f8f7ea5370018bc/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-03-09 10:46:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=by466zcht7okezoxuqmatlzarkrhedmnhckrq627r57kknyadc6a._file

Verdict:

malicious

Label(s):

formbook

Formbook

0b7b92e40a75e7c96676e65733f2babfdf0c37529c130619510b2b0b7879a697

Formbook

5f5195f363ef21135a5b5298c2a3576bd03125eec094d769b25296eb0a2605b9

Formbook

6077a6a5a6270bd0cbd94bd424294d9c1afe129e72ac671db981245f4e294234

Formbook

75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

Formbook

aa768c2c6e6e99313d1de9367ad2b894ce051ae3ce3ed1aeedc806ab8b0a0f80

Formbook

acf40f9d3eea74324291c55f5ab8d3678e0dcc085581bdd9cf66897f4324bc3c

Formbook

d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2

Formbook

dc368951f1df68a92c51f9afe6ad73c717b040fb9af6a278e9201b176362ed70

Formbook

dfb938333b6dbb62861831b5641728e8bfa444d4b820df6fb6dbce56f83ab42f

Formbook

+ 14'747 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220309-mty4zabbam/

Unpacked files

SH256 hash:

d54e92129fe9926d2e995df71ecca40ba78e783dd22ba55d0f442a010b2f93da

MD5 hash:

5661ec0746d93b6ee0a2693f2e8a197e

SHA1 hash:

70cc5757db8ce3bcea5f830ca5b6e7ff72e62c31

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/716eb777-8a7e-44fd-b0d4-feb1f8e7744a/

Parent samples :

0e39ef64479fdca265d7a41809af208aa2720d8d3895187b5f8f7ea5370018bc
7de9f7a81557d4a2a6818b50b8f8ab8948ce6329bf1c696d038e1231237a07d0
041760471bc27a43bf84ff6bee7edce055983316c01cd984ade1872239c1a35c
b10824c56d2ef6aa6af1474f898e5578bb6f6155eb4f9cd63ef3e7fd36c2a827

SH256 hash:

79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696

MD5 hash:

39f524c1ab0eb76dfd79b2852e5e8c39

SHA1 hash:

428018e1701006744e34480b0029982a76d8a57d

Link:

https://www.unpac.me/results/716eb777-8a7e-44fd-b0d4-feb1f8e7744a/

SH256 hash:

7561f110672a5aeb1b3556c2849e11c890f92f35e4629de3f80186b739a71ab5

MD5 hash:

51b46bc7ed0e509ab0194fcc106e5fde

SHA1 hash:

0f8a52b103032a721e6a5974cf1990fc1a68f922

Link:

https://www.unpac.me/results/716eb777-8a7e-44fd-b0d4-feb1f8e7744a/

SH256 hash:

0e39ef64479fdca265d7a41809af208aa2720d8d3895187b5f8f7ea5370018bc

MD5 hash:

2437236f8d10cf09961dccc847f8b284

SHA1 hash:

7eb908c9870c5d79b0a74c68c2c59602cd97c302

Link:

https://www.unpac.me/results/716eb777-8a7e-44fd-b0d4-feb1f8e7744a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0e39ef64479fdca265d7a41809af208aa2720d8d3895187b5f8f7ea5370018bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/248584/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample