MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18542fabceb4ca929c3b47126e86b571c26a4c67b7ef3fea148b3bbd3e5888a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	18542fabceb4ca929c3b47126e86b571c26a4c67b7ef3fea148b3bbd3e5888a8
SHA3-384 hash:	5cea8d2ee7a89644f9ac596601ef479722aea64a60a118e6f1300e278c57a1d556577f32252d0062282f768437e4b6c8
SHA1 hash:	c2e87e9695af22d59aaa87fea88f55e9595b8728
MD5 hash:	6d7d4d86beee57abc1860a828064a58f
humanhash:	vegan-thirteen-autumn-hotel
File name:	Confirmed Purchase Order RFQ-#000087.PDF.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	670'720 bytes
First seen:	2023-10-25 12:35:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:8cVmtrCjl/ExkMlR4NVHmdVFCDZGBuaLuGI0cKBI9f/ZgR/mZRM+:8M0CdeCNVHKFCD0BuaNDARgkZR5
Threatray	5 similar samples on MalwareBazaar
TLSH	T150E4232035827761E5B71BF6BCEB02211BB58A1B6013D3082DE515FD666EF084A61F7B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	malwarelabnet
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Confirmed Purchase Order RFQ-#000087.PDF.exe

Verdict:

Malicious activity

Analysis date:

2023-10-25 12:37:15 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/5ef6efd4-1e09-48e9-aeac-37fbddcc149a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/456273/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Creating a process with a hidden window

Restart of the analyzed sample

Adding an exclusion to Microsoft Defender

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/65390bb34ebf05ac3f38c284/reports/a63130d8-676a-494c-850f-6d2170f53db4/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/18542fabceb4ca929c3b47126e86b571c26a4c67b7ef3fea148b3bbd3e5888a8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/40d2e22d-58f7-4f3d-a79a-9b8a76cd1b28

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1331872

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/18542fabceb4ca929c3b47126e86b571c26a4c67b7ef3fea148b3bbd3e5888a8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/18542fabceb4ca929c3b47126e86b571c26a4c67b7ef3fea148b3bbd3e5888a8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-10-20 10:26:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dbkc7k6owtfjfhb3i4jg5bvvohbgutdhw7xt72qurm532psyrcua._file

Verdict:

malicious

Label(s):

formbook

Formbook

3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9

Formbook

8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4

Formbook

d79a768e106b5c09d20e48704aeb15f5accea32c5e05d1693ff26f0d3a45374d

Formbook

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231025-psw94ahe3v/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Unpacked files

SH256 hash:

32dc39c2a473b7414151b02d77d940e0d897d1eeccc08c547803f528bacddd14

MD5 hash:

b8efd5952af807eb1a3d6eaab2041bd7

SHA1 hash:

de666ab23039c4d3979743602267093710ff7178

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/eeeb413e-d045-4c02-a8b0-862cdef8c263/

Parent samples :

18542fabceb4ca929c3b47126e86b571c26a4c67b7ef3fea148b3bbd3e5888a8
3230ec344a2ed748c97ea46b2d41a09521bd4f67e605d53384f741eece09f466

SH256 hash:

45419d624e2b3e15754c82416fbef25a81fd081b13d83dbe2e8d86c5741a0bfc

MD5 hash:

3baea8a34a229bb1e63da529cd061177

SHA1 hash:

bcb8da69ebf60c1110bf623c4d828569fae7eff2

Link:

https://www.unpac.me/results/eeeb413e-d045-4c02-a8b0-862cdef8c263/

SH256 hash:

b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63

MD5 hash:

5c904da8528cfb1b87b15a6aa7c059cd

SHA1 hash:

f0a192969485d1bc34bf52adf37d9c20176d6b85

Link:

https://www.unpac.me/results/eeeb413e-d045-4c02-a8b0-862cdef8c263/

SH256 hash:

9345efb7560856978071747b3d86da98ed5a0d0c75fe2dfe72f22630661f94f3

MD5 hash:

e8d833436088f358d32dda88bdbbe71a

SHA1 hash:

a07812042b016d9144d39d9cbd79fb7f9f82ea7e

Link:

https://www.unpac.me/results/eeeb413e-d045-4c02-a8b0-862cdef8c263/

SH256 hash:

55b6cb7467359aa5843d18211c5e11f2c0ec25e1e6b282596db73a65b23e1978

MD5 hash:

8127f9bf73396f3d650378c3a563f832

SHA1 hash:

4362224d0e1686b1c86cff1a5d283018154f797b

Link:

https://www.unpac.me/results/eeeb413e-d045-4c02-a8b0-862cdef8c263/

SH256 hash:

d4c9e1cd4b45aa29664336d9162c666a85cd3428523efa58030339ccfecf8abe

MD5 hash:

c1a84d50be7acf101fd8bb84342f7edf

SHA1 hash:

cf85bc0183a3da13d26658830836d85e55accee3

Link:

https://www.unpac.me/results/eeeb413e-d045-4c02-a8b0-862cdef8c263/

SH256 hash:

e48d2bf314fae84d19994b1edae0d1f77eeeb67106c78e0677f088691aa20fae

MD5 hash:

9834c6ae9474338adf92ab213d987cd5

SHA1 hash:

a191ddf9fe15cc138addea9faf8ff980e0101d32

Link:

https://www.unpac.me/results/eeeb413e-d045-4c02-a8b0-862cdef8c263/

SH256 hash:

d9b174ae9bcb717122997babfece97589d1f5abc3317060a21de4d30b9936862

MD5 hash:

8d38fcbf5012b34ac03a373de6c0191d

SHA1 hash:

7e2321f1eb31f3c35ef73ac0d11016979268c675

Link:

https://www.unpac.me/results/eeeb413e-d045-4c02-a8b0-862cdef8c263/

SH256 hash:

b48372c74621464bf00474779c92d8a8e1c7933c5a6dbf719e48fb2c0815d548

MD5 hash:

eaffe33b69c3984216f33e13dccee69a

SHA1 hash:

3c5c06d2f5688b64b569f5d53db2f52caf19319b

Link:

https://www.unpac.me/results/eeeb413e-d045-4c02-a8b0-862cdef8c263/

SH256 hash:

b015a36f388b162bb678b0ca4bd619ef911011464263b682c4734053aa9df437

MD5 hash:

9e3b6cdfe55fac0c6a42cc02b86d9985

SHA1 hash:

233b3699bf18da85b40503029fdbd5b5be2e27b3

Link:

https://www.unpac.me/results/eeeb413e-d045-4c02-a8b0-862cdef8c263/

SH256 hash:

c8a61ecef018ea701b527565d0fdfd05cabc108e824f6c1473ba716371028a29

MD5 hash:

bc7629eae3d8ac39850a66894df0405a

SHA1 hash:

1941ca4665cd2470b3c52b4013d5f8d5ed0402a6

Link:

https://www.unpac.me/results/eeeb413e-d045-4c02-a8b0-862cdef8c263/

SH256 hash:

18542fabceb4ca929c3b47126e86b571c26a4c67b7ef3fea148b3bbd3e5888a8

MD5 hash:

6d7d4d86beee57abc1860a828064a58f

SHA1 hash:

c2e87e9695af22d59aaa87fea88f55e9595b8728

Link:

https://www.unpac.me/results/eeeb413e-d045-4c02-a8b0-862cdef8c263/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/18542fabceb4ca929c3b47126e86b571c26a4c67b7ef3fea148b3bbd3e5888a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/456273/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample