MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bcb883e07a0964b44b67c239b2134ee98d93a5df3bb0e7cb4c027d1373614a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bcb883e07a0964b44b67c239b2134ee98d93a5df3bb0e7cb4c027d1373614a9
SHA3-384 hash: 38b9c27edc4bac80da6643ae6003db39316c6a248a59eb22c6a87b2e5aa4017c4866c2b80ebb5b9a3ec10cdc38a96c1a
SHA1 hash: 48518fb7f51edbd126f33e6fdb178a7771a1d41e
MD5 hash: 93c6601276f23bc4d3d324bd1da1d974
humanhash: burger-sodium-burger-emma
File name:BUSCANDO UN NUEVO PROVEEDOR DE FRUTA Número de orden de compra #127.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:680'448 bytes
First seen:2023-10-06 14:23:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:jiF7s9IcnW50G11F4ix004f9lUjGrL4q2jJJB2L5yu1aIKgGS25ilAiLmw:jiF7s9tU0G11SffUmcRk3aTE25iKiLm
Threatray 58 similar samples on MalwareBazaar
TLSH T193E4020962FC0B26EAB94BF95F75100057F27D4E0528EA4ECECA61D643BAF750910EE7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a process from a recently created file
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/1bcb883e07a0964b44b67c239b2134ee98d93a5df3bb0e7cb4c027d1373614a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5cb5f1ab-c922-4e86-aa9f-a6b04f8e8e36
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1321037
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bcb883e07a0964b44b67c239b2134ee98d93a5df3bb0e7cb4c027d1373614a9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-06 13:32:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dpfyqpqhuclewrfwpqrzwiju52mnsos56o5q47fuyat5cnzwcsuq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d
Formbook
42c0bbf88390cafcc303696b01420c9233df8822285de01dd73a1dfe8b5b11d8
Formbook
467c52a90f7d13e15318cd8c68ccd3483f7de5c728d1137916b1f440aa1e10c9
Formbook
5706d8958701b77e315dcd2d850bb5028518dbea8a851d84680f15b0669430f5
Formbook
7b798cee09b1e65922731c0ac1ddc080ce0560fe68a01c70e19bcc1bb59cd047
Formbook
a915e631517c5b9eadd5062e2c12d33521950a2650d56e69f60ed0d783f35345
Formbook
c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910
Formbook
cc74e95443838d54168e736be39859926097fd7da7606b6ef4d8bfb794303eff
Formbook
cecee88a7617e74a94da62a630b47509785f2d0dd45bae200fba376915eff317
Formbook
+ 48 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231006-rqp44seh29/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
df38b37cccfb02312e680e8d750f8f57026f693f56fb517c56ef286901fcc922
MD5 hash:
13250c2575f08484ec89a7a9f270231e
SHA1 hash:
bcab5c7041bd782db6d91b96654861e65ea4a2fb
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1fa7d026-dcf3-4d85-968f-54d855ded05c/
SH256 hash:
58142cb87448a671eb30191c7910084e4ae4c71866ff9e7e59345649c2adee73
MD5 hash:
115a128c3cc68e98bb77e271618ea672
SHA1 hash:
fa61359ff396ccd4f643f8fd406b1efb419f57d3
Link:
https://www.unpac.me/results/1fa7d026-dcf3-4d85-968f-54d855ded05c/
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/1fa7d026-dcf3-4d85-968f-54d855ded05c/
SH256 hash:
af10a81d30ea6c14a0857caa64697f78672a941419d679b34eedb82e080ad46b
MD5 hash:
ec0b80883f0b18fb75a48dd18795f514
SHA1 hash:
afe9537c27362b6769a1df0ad414b8e58d34ea40
Link:
https://www.unpac.me/results/1fa7d026-dcf3-4d85-968f-54d855ded05c/
SH256 hash:
30b2bc373aa6697194ebaed62ef56d133a0c608f64e9530a1ffcc4e7125ce73c
MD5 hash:
d727bc8e946926c25039ea2f6796845f
SHA1 hash:
a29e654d4b3671ecd062edcadb57afc79200acbb
Link:
https://www.unpac.me/results/1fa7d026-dcf3-4d85-968f-54d855ded05c/
SH256 hash:
7786974eb2bcdb72c26e7c95ac1d45b204f636673ae41709b6334c8792518fd0
MD5 hash:
31bdd0a52b3b0e3d617a55ba87b6d870
SHA1 hash:
e73d7a34ba244c1d897a1f78ce4ac538c8ad831a
Link:
https://www.unpac.me/results/1fa7d026-dcf3-4d85-968f-54d855ded05c/
SH256 hash:
1bcb883e07a0964b44b67c239b2134ee98d93a5df3bb0e7cb4c027d1373614a9
MD5 hash:
93c6601276f23bc4d3d324bd1da1d974
SHA1 hash:
48518fb7f51edbd126f33e6fdb178a7771a1d41e
Link:
https://www.unpac.me/results/1fa7d026-dcf3-4d85-968f-54d855ded05c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1bcb883e07a0964b44b67c239b2134ee98d93a5df3bb0e7cb4c027d1373614a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1bcb883e07a0964b44b67c239b2134ee98d93a5df3bb0e7cb4c027d1373614a9

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments