MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 107d68c6296491ef2507347077005737d0c8f39f9c2695282c90bf61baf67d84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 107d68c6296491ef2507347077005737d0c8f39f9c2695282c90bf61baf67d84
SHA3-384 hash: 391008ac691d15e0a3cba5c5fb5449507bede22dfe46d37dddd44009dd69d77e96d9a372c9cb88550a62ef85adae539e
SHA1 hash: 48c36d99dca7ef1815a58ad2993784fd54763eef
MD5 hash: 3fd2e8b13faad7b9a8365faa679b093c
humanhash: virginia-kilo-kitten-sweet
File name:PO #010-240.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:613'888 bytes
First seen:2022-05-19 15:16:45 UTC
Last seen:2022-05-23 06:39:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:zYL346BxCClMsJnwp2PTRMSCHFS41EsZK6BBfL:8UMJfxp+blS63
Threatray 15'961 similar samples on MalwareBazaar
TLSH T152D41255B6FD36AAF07A89748A76A00C8B73BC719C32C35D3C94304E1876B50CAA1B77
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
6
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PO #010-240.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-05-19 22:01:01 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/2317a23f-7c48-4573-b3b7-ae5887b18469

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/272641/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1344.5511.23892.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62865f75ff102f27123a2262/reports/2ff21e4c-0a55-4595-8f80-4284d8bcf450/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be708444-1edb-444c-b5bb-7250a1694693
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/997810
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/107d68c6296491ef2507347077005737d0c8f39f9c2695282c90bf61baf67d84/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-05-19 11:21:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cb6wrrrjmsi66jihgryhoacxg7imr447tqtjkkbmsc7wdoxwpwca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2537720d5a68fae9bd2bd01925102deb25af75b86fbdc295f166efc97e636cfe
Formbook
2e306d4e802c3797837c61dd955ac3d42c7648747a1f44fca0381069815e8e2b
Formbook
58dc8fe3046450ddf0e00d1076440c4357f46a6829c41b85f8aa0345d51887c7
Formbook
6ecfdff224175dade2cbf63719974b5335c1a81cf787142681163ddf882ce00e
Formbook
786d7fef1f6b313461e01a67b89db558dfd79a558a2669e73ee0483717600bd0
Formbook
8c7c6966c40ca10cdb43c9520c24ae932e63429fbc858b2c05f94f1bedbe0efa
Formbook
c781169f80930851f2174df529d1aaba061c45fd7ef90c5059a7c513bfda3414
Formbook
+ 15'951 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:lt17 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220519-sn1nhabgdm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
df8ff13e8c45ccf46d4ca18d41ca3388b458412f42ec57e98b8e8001b8154c7c
MD5 hash:
9a3170e3532966ea76da633dc7fcb858
SHA1 hash:
f63f12ec183db0f652f5ea6af251b59a46e2120d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/14ff5224-9ca1-44f3-bcf2-4528d10bee4a/
Parent samples :
58dc8fe3046450ddf0e00d1076440c4357f46a6829c41b85f8aa0345d51887c7
107d68c6296491ef2507347077005737d0c8f39f9c2695282c90bf61baf67d84
44ba196d26ded5256953332dbcf8f1e4eef73522687836158ec13065917bb36c
SH256 hash:
b5e7266cf89b41b3c7dd2b4d036d5b0cdaeb88f9c084e44872a98f51e1510d27
MD5 hash:
84433b05ddf8010b508e9c2c2c1ce8fd
SHA1 hash:
5c2481f0bbf0a36a1f0e68646dc6a49f88d218c4
Link:
https://www.unpac.me/results/14ff5224-9ca1-44f3-bcf2-4528d10bee4a/
SH256 hash:
09602efe05dc6b9738b23b91708978231d20c08329940541a086561795a6c9fd
MD5 hash:
1521132bd568891debf24b4973aaa24e
SHA1 hash:
393fafe43a177d02d2a8be164101fc2add2748dc
Link:
https://www.unpac.me/results/14ff5224-9ca1-44f3-bcf2-4528d10bee4a/
SH256 hash:
05dca7c390c251f3057af9018af2f05574d18783b37403d991ccfd6144b1dccd
MD5 hash:
f4480c20687530eb6ade11ce34ef1ebb
SHA1 hash:
147c68aaa26cae0ad35e2895ef36f58d55b46e3c
Link:
https://www.unpac.me/results/14ff5224-9ca1-44f3-bcf2-4528d10bee4a/
SH256 hash:
107d68c6296491ef2507347077005737d0c8f39f9c2695282c90bf61baf67d84
MD5 hash:
3fd2e8b13faad7b9a8365faa679b093c
SHA1 hash:
48c36d99dca7ef1815a58ad2993784fd54763eef
Link:
https://www.unpac.me/results/14ff5224-9ca1-44f3-bcf2-4528d10bee4a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/107d68c62964/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/107d68c6296491ef2507347077005737d0c8f39f9c2695282c90bf61baf67d84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

z 13f29a3c96c0fa61028212b27c4804a9a510f6164e6ab9ed7777a6b3b60d3d01

Formbook

Executable exe 107d68c6296491ef2507347077005737d0c8f39f9c2695282c90bf61baf67d84

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/272641/
  
Dropped by
SHA256 13f29a3c96c0fa61028212b27c4804a9a510f6164e6ab9ed7777a6b3b60d3d01
  
Dropped by
MD5 4588d78a96a1201801eece034d16f273

Comments