MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b7afac2a9b048cdf2e40469ef11cc2830eff9223177a288a0bce06f6f508f71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b7afac2a9b048cdf2e40469ef11cc2830eff9223177a288a0bce06f6f508f71
SHA3-384 hash: 903adc56647f9300db46e8bc9f671ad5044391a9e13061d10d71df2a5ccbb2bd057b8a3e604e739efbd972af62f841eb
SHA1 hash: 1c4f247d7d0e5d60730c9b3fe1827a3bfe4b72da
MD5 hash: 51dd8ffd0e10e66ec32f5285b53760d7
humanhash: sierra-idaho-item-gee
File name:UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:798'720 bytes
First seen:2024-05-10 07:48:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:4lOK/pbM0RwO1BEy5n3Ap8ZFX7coxYEX/DTzaJtt9y3MWa6EZJumnxtAFs:uOiM0hB/l3ApqFLEEP+ztc8Wa778s
Threatray 48 similar samples on MalwareBazaar
TLSH T1550522292999D711C4760FFE4076126027F236672992EB4C9DD274DE1EA77C0CB03ABB
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon e8d4aab2aa8eccd4 (8 x AgentTesla, 6 x Formbook, 1 x Loki)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1b7afac2a9b048cdf2e40469ef11cc2830eff9223177a288a0bce06f6f508f71.exe
Verdict:
Malicious activity
Analysis date:
2024-05-10 08:29:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/94203024-d6a6-4bed-b587-c2369bb04379

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.LokiBot-10028088-0
Create hunting rule

Win.Packed.Pwsx-10028152-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys lokibot masquerade packed
Link:
https://www.filescan.io/uploads/663dd17711114a9ab5e79a7e/reports/590d0a7d-f5d9-4423-a4ce-36a99d31a918/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1b7afac2a9b048cdf2e40469ef11cc2830eff9223177a288a0bce06f6f508f71
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10ac32f7-21fa-4840-9ced-a0b81535779e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1439419
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1439419 Sample: UNIVERSITY OF_ SHARJAH- Pro... Startdate: 10/05/2024 Architecture: WINDOWS Score: 100 28 www.eh28mf3cdv.xyz 2->28 30 www.bieniastest.xyz 2->30 32 10 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 50 8 other signatures 2->50 10 UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exe 3 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Injects a PE file into a foreign processes 10->62 13 UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 SclhlWzWPoXPmPLueFHGnpTpRGdi.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 DevicePairingWizard.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 2 other signatures 19->58 22 SclhlWzWPoXPmPLueFHGnpTpRGdi.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.pandafitnessboo.com 89.31.143.90, 49742, 49743, 49745 QSC-AG-IPXDE Germany 22->34 36 www.biotecnology.org 217.76.156.252, 49747, 49748, 49749 ONEANDONE-ASBrauerstrasse48DE Spain 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1b7afac2a9b048cdf2e40469ef11cc2830eff9223177a288a0bce06f6f508f71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b7afac2a9b048cdf2e40469ef11cc2830eff9223177a288a0bce06f6f508f71/
Threat name:
ByteCode-MSIL.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2024-04-18 02:07:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dn5pvqvjwbem34xearu66eomfayo76jcgf32fcfaxtqg632qr5yq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
413bf66fb3f4c507d5e04fcd975056619d5874af3b92fa59eb9db52d18e2928b
Formbook
65568cb4787ff10ab578303eb912096f39b1565eabcc74263502e8e3540aec73
Formbook
71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0
Formbook
7833f08faa8eba4210758800620948a39a9a7bea302880d5f44739aa10bc21dc
Formbook
84176781043f8f95306328477f7b28fa721f44b1767fe740cbd207233c2a47c6
Formbook
9f586373713feb004b4bc48a2b41962933f4f4d0fd44dc2c9d402e3bfdfffef0
Formbook
b6c252883799568c28a1af098d7f1fd835181d54c3098bbd1dccacd40a23873a
Formbook
c7a16881f8c69d16a9b0bdcbfdd5c4aada81eba19521d1c03ee7f6005f7d6629
Formbook
efd15711fec91fec88b1b6c704932a4e6697b79f9ea12d2b766b53081c18d438
Formbook
f24092f3ff18dc8a33a8e87f1cd0271aaeb22a1d5202ddf59979b4b8d0d784fc
Formbook
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240510-jnshfsbc6v/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
5fdcc2ec155388a7081619dbe78711661ce44d0d29da75ab8ae4bb9c600fdf50
MD5 hash:
dba5d7bb232add1731e6bf88caefbd93
SHA1 hash:
16356992463d358812406d3818c330c6c4f5b879
Link:
https://www.unpac.me/results/3a69ee0e-d284-4b71-b26c-dc0dea71035f/
SH256 hash:
a807bf715e0c6a5cbd2827053b9f12d72e7e5696d561a01b6f782edf96802fc8
MD5 hash:
3a1beb98a7a4cde4bc81cfdc84e156c4
SHA1 hash:
31b49b578ac6d4ee8b488d4eccc814d2ec2cbf50
Link:
https://www.unpac.me/results/3a69ee0e-d284-4b71-b26c-dc0dea71035f/
SH256 hash:
394cd0945457e975bb68742cdac58e41b4d124c17345c0137f6c8347b5855169
MD5 hash:
4f6c46c5ec5d8aba5ee2cb364152e9da
SHA1 hash:
fd3e799f190d696110bedaabc7927521a0ba31c2
Link:
https://www.unpac.me/results/3a69ee0e-d284-4b71-b26c-dc0dea71035f/
SH256 hash:
1c633f39a192f108f755e0bcf412e8489ad80781f3b7807c80892deb2526ff0d
MD5 hash:
e4b5d57e9e46a4e76075b5b92f71577f
SHA1 hash:
d76dc165724148193c6911cc75fc62c198737d3a
Link:
https://www.unpac.me/results/3a69ee0e-d284-4b71-b26c-dc0dea71035f/
Parent samples :
d89ea6a01347b82f963ed7960583e5d76c6a07e91852fae83bc290e0f64a06b2
3f700fd41c6cca501d50cc2f62afd8e0d951efc1a918aa65ab3e84ee563ff1d6
SH256 hash:
baa0bda022a64970c5be7e975198d5dd8229901e827b2bda8ed277c53e9fb950
MD5 hash:
1efe8c9276f935bf051c72a80a02d2c8
SHA1 hash:
13a1f62d3ad9375ca328ce8e393e4e235226bc3c
Link:
https://www.unpac.me/results/3a69ee0e-d284-4b71-b26c-dc0dea71035f/
SH256 hash:
1b7afac2a9b048cdf2e40469ef11cc2830eff9223177a288a0bce06f6f508f71
MD5 hash:
51dd8ffd0e10e66ec32f5285b53760d7
SHA1 hash:
1c4f247d7d0e5d60730c9b3fe1827a3bfe4b72da
Link:
https://www.unpac.me/results/3a69ee0e-d284-4b71-b26c-dc0dea71035f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1b7afac2a9b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b7afac2a9b048cdf2e40469ef11cc2830eff9223177a288a0bce06f6f508f71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments