MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 0fee68a748cf6a48faba2bf63129dbf08cf9c4d2496bd9946818329c74b6f9a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 15
| SHA256 hash: | 0fee68a748cf6a48faba2bf63129dbf08cf9c4d2496bd9946818329c74b6f9a1 |
|---|---|
| SHA3-384 hash: | 6544bc4bd2026906948a1b8823c2c3aacd02b94f06701d32bf7b1c830d0cf831d38dec7e3029ea5cc08057e14e42faa0 |
| SHA1 hash: | 22e8b17755d9376eb333928ffdd8e78f74172ca7 |
| MD5 hash: | f3729342b8055a4ca16d6320929ce097 |
| humanhash: | minnesota-pennsylvania-aspen-fillet |
| File name: | ORDER 000227APD.exe |
| Download: | download sample |
| Signature | Formbook |
| File size: | 1'185'280 bytes |
| First seen: | 2025-01-31 00:06:43 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT) |
| ssdeep | 24576:6AHnh+eWsN3skA4RV1Hom2KXFmIaIbBcFvPU5AJOHlesEIZ5:Nh+ZkldoPK1XaI1+U6AkFO |
| TLSH | T11445AD1273D1C036FFABA2739B6AF60156BD79254133852F13981DB9BC701B2263E663 |
| TrID | 63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 11.6% (.EXE) Win64 Executable (generic) (10522/11/4) 7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.9% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| File icon (PE): |  |
| dhash icon | aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla) |
| Reporter |  cocaman |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
567
Origin country :
CHVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER 000227APD.exe
Verdict:
No threats detected
Analysis date:
2025-01-31 00:09:37 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
adaptive-context autoit compiled-script fingerprint keylogger lolbin masquerade microsoft_visual_cc msiexec packed packed packer_detected rasautou wmic
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Trojan.AutoitInject
Status:
Malicious
First seen:
2025-01-30 23:56:33 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
18 of 24 (75.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
5/10
Tags:
discovery
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Unpacked files
SH256 hash:
451c740e4f91dca2e62e49bf6a6608d237c8bb82838d04431500e69fec266cd5
MD5 hash:
b69c0c5826e0db5ed1a4fb1f700da8a3
SHA1 hash:
252c7c1c3cb28ef15ffc9a648662eb2543aa9872
Detections:
win_formbook_g0
Parent samples :
565c94ad10af9f86ee8ccae422c09dbfb797c51bf443b118a153c2e32e65af0b
5ce2f5a8a0b1ce232214fcbe96e0b3780e9409321d70fd1c0b33d22f23efb004
0fee68a748cf6a48faba2bf63129dbf08cf9c4d2496bd9946818329c74b6f9a1
e232f8344f6c183e783887263b5da10fbec109249b628dba960a4b60ff52a36f
237619efb2bf11b83ebdfb261c47c0d9f3bd62b23210b21c29c76b1584fc8952
cc3874f1aa9edb27fa3fd892a7bf53d80f93db85b97ec3b003d018a62d9a49d6
ac381e891cda88d95c3402a58a256a52f1ff4e4fd0f4803f4d4ddd43691dd81f
e8ed07ed6a89c0281acd5970a64ccd8b6f1bd804ef1826846b08b4cbb4f96490
5ce2f5a8a0b1ce232214fcbe96e0b3780e9409321d70fd1c0b33d22f23efb004
0fee68a748cf6a48faba2bf63129dbf08cf9c4d2496bd9946818329c74b6f9a1
e232f8344f6c183e783887263b5da10fbec109249b628dba960a4b60ff52a36f
237619efb2bf11b83ebdfb261c47c0d9f3bd62b23210b21c29c76b1584fc8952
cc3874f1aa9edb27fa3fd892a7bf53d80f93db85b97ec3b003d018a62d9a49d6
ac381e891cda88d95c3402a58a256a52f1ff4e4fd0f4803f4d4ddd43691dd81f
e8ed07ed6a89c0281acd5970a64ccd8b6f1bd804ef1826846b08b4cbb4f96490
SH256 hash:
14148ba5a0cdd1e26f1c7bd925cf64452bf50d65bc890ca1c3ba32b2f38b26a8
MD5 hash:
44536554fd663506bba73b88da2acc4d
SHA1 hash:
25c6edf566b5d62ae625ec72a415d2a2d422f279
SH256 hash:
0fee68a748cf6a48faba2bf63129dbf08cf9c4d2496bd9946818329c74b6f9a1
MD5 hash:
f3729342b8055a4ca16d6320929ce097
SHA1 hash:
22e8b17755d9376eb333928ffdd8e78f74172ca7
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious. |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__GlobalFlags |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Active |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Thread |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| Rule name: | pe_no_import_table |
|---|---|
| Description: | Detect pe file that no import table |
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| Rule name: | SEH__vectored |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
| Rule name: | SUSP_Imphash_Mar23_3 |
|---|---|
| Author: | Arnim Rupp (https://github.com/ruppde) |
| Description: | Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits |
| Reference: | Internal Research |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Other
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal |
| MULTIMEDIA_API | Can Play Multimedia | WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW |
| WIN32_PROCESS_API | Can Create Process and Threads | ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW |
| WIN_BASE_USER_API | Retrieves Account Information | KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_NETWORK_API | Supports Windows Networking | MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.