MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2143e9fe2cf7658859b05fb300e58e293da9f0872219ff8e00bfa80435534378. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2143e9fe2cf7658859b05fb300e58e293da9f0872219ff8e00bfa80435534378
SHA3-384 hash: d63685910c7c78cb77f293827b192d1ff27b09589ec7a4d9d5a551c2ffc0f1bb435579fc5ff1127da2289007a6ed5d86
SHA1 hash: 49c21bd7147370d2d6c751c9f3b4cb02077df6ed
MD5 hash: 129fde986d0f28d1d4dc333fd8a97478
humanhash: fifteen-five-oven-foxtrot
File name:PO-000172483 pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:905'216 bytes
First seen:2025-01-08 11:46:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:pU99GRgReyHcR3h7Oesc45vBcz87ZW2lfZi7+:p8ZIEiRTr45vqQ71l
TLSH T12A159D092356E4CED0D745BC5893FFB791004D494622C2C247EEBAAB369B98EB90F1D7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 33694d96962b2b2f (2 x Formbook, 1 x AsyncRAT, 1 x Loki)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
438
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
message__256097b4a9c46935c2d6d007584e6044_smartechdubai_com_.eml
Verdict:
Malicious activity
Analysis date:
2025-01-07 11:37:55 UTC
Tags:
arch-exec stealer formbook xloader netreactor
Link:
https://app.any.run/tasks/5a01dc3f-f36c-4e07-a0f9-30e11ec04ace

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.21410.17507.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=677e6675ffdcee13ec872e95
Tags:
underscore shell virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected phishing vbnet
Link:
https://www.filescan.io/uploads/677e65ba08d206d0422dd010/reports/dffa2259-9b40-4505-aead-a46804479e40/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/2143e9fe2cf7658859b05fb300e58e293da9f0872219ff8e00bfa80435534378
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/468c3acb-6e66-42b2-a23c-d1996ab45617
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1585888
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585888 Sample: PO-000172483 pdf.exe Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 39 www.tabyscooterrentals.xyz 2->39 41 www.milp.store 2->41 43 5 other IPs or domains 2->43 53 Suricata IDS alerts for network traffic 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 61 11 other signatures 2->61 10 PO-000172483 pdf.exe 4 2->10         started        signatures3 59 Performs DNS queries to domains with low reputation 39->59 process4 file5 37 C:\Users\user\...\PO-000172483 pdf.exe.log, ASCII 10->37 dropped 65 Adds a directory exclusion to Windows Defender 10->65 67 Injects a PE file into a foreign processes 10->67 14 PO-000172483 pdf.exe 10->14         started        17 powershell.exe 23 10->17         started        19 WMIADAP.exe 4 10->19         started        21 2 other processes 10->21 signatures6 process7 signatures8 77 Maps a DLL or memory area into another process 14->77 23 ycnUEzgloE.exe 14->23 injected 79 Loading BitLocker PowerShell Module 17->79 26 conhost.exe 17->26         started        process9 signatures10 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 28 cttune.exe 13 23->28         started        process11 signatures12 69 Tries to steal Mail credentials (via file / registry access) 28->69 71 Tries to harvest and steal browser information (history, passwords, etc) 28->71 73 Modifies the context of a thread in another process (thread injection) 28->73 75 3 other signatures 28->75 31 ycnUEzgloE.exe 28->31 injected 35 firefox.exe 28->35         started        process13 dnsIp14 45 www.milp.store 194.9.94.85, 57576, 57577, 57578 LOOPIASE Sweden 31->45 47 www.jyshe18.buzz 172.67.131.144, 57580, 57581, 57582 CLOUDFLARENETUS United States 31->47 49 natroredirect.natrocdn.com 85.159.66.93, 57575, 80 CIZGITR Turkey 31->49 51 Found direct / indirect Syscall (likely to bypass EDR) 31->51 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2143e9fe2cf7658859b05fb300e58e293da9f0872219ff8e00bfa80435534378
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2143e9fe2cf7658859b05fb300e58e293da9f0872219ff8e00bfa80435534378/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-01-07 13:04:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=efb6t7rm65syqwnql6zqbzmofe62t4eheim77dqax6uainktin4a._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250108-nxvrds1kfq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fbf04ce5-de66-408e-ab27-51f6f4ceafef
Unpacked files
SH256 hash:
28791fd8548780ded6c1c907956ffb1f476dc17f16f8f3e9c7d44b8112ce87c3
MD5 hash:
464916c8550a17df40775f2e87fc5247
SHA1 hash:
3596c5a64b69b6771582ec7186d6c38dd2214f01
Link:
https://www.unpac.me/results/25c87537-531f-4492-a614-c9c26ca9394b/
SH256 hash:
69d6fc0daa63ece1c4a775ec36615470ce86458584139be4c3ed3ed38ff0b9d8
MD5 hash:
0cef64c6536c37e518af0af027ff434d
SHA1 hash:
3e6d9d6814b79f755fce243c4bdedd1ad079aead
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/25c87537-531f-4492-a614-c9c26ca9394b/
SH256 hash:
4de1f0a21ef98284bff986c91c56da0d1e130c1e983ea5f6854f0e724a405c76
MD5 hash:
be0804cf30f52efc8f461ec3053dad1d
SHA1 hash:
2ac0dd1095c117ae4ee6c1f9cf025300a2232a89
Link:
https://www.unpac.me/results/25c87537-531f-4492-a614-c9c26ca9394b/
SH256 hash:
762805dfed9e82e38446e96025a289404041eed11af7097ccc805649dc344e04
MD5 hash:
5177d2e03b86c2bcd4615462dd0a751f
SHA1 hash:
0ed04f75d91fbbc5b696641a0f4f0436bf48830f
Link:
https://www.unpac.me/results/25c87537-531f-4492-a614-c9c26ca9394b/
SH256 hash:
2143e9fe2cf7658859b05fb300e58e293da9f0872219ff8e00bfa80435534378
MD5 hash:
129fde986d0f28d1d4dc333fd8a97478
SHA1 hash:
49c21bd7147370d2d6c751c9f3b4cb02077df6ed
Link:
https://www.unpac.me/results/25c87537-531f-4492-a614-c9c26ca9394b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2143e9fe2cf7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2143e9fe2cf7658859b05fb300e58e293da9f0872219ff8e00bfa80435534378

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2143e9fe2cf7658859b05fb300e58e293da9f0872219ff8e00bfa80435534378

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments