MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 219a330b7ae9807411d289f28169861fc748f50212ae2317278bfe155d89990f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 15 File information Comments

SHA256 hash:	219a330b7ae9807411d289f28169861fc748f50212ae2317278bfe155d89990f
SHA3-384 hash:	34f496aad6f0fd07c22940a6476071695dade4ffaac2f725a1f801509cdaaafedecd238fd89169718db821584c9e94da
SHA1 hash:	3c9f400ba8c6fe7f35f20bca09e59d3bb8169035
MD5 hash:	686fed0af9eebb2581701d4e08e9ff0b
humanhash:	two-sixteen-virginia-angel
File name:	Specification and Quantity Pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'678'432 bytes
First seen:	2024-09-22 15:24:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	22a65106d3d84ea74d966fa0424a5a0c (8 x Formbook, 2 x AsyncRAT, 1 x AgentTesla)
ssdeep	49152:YAodtaG9kS2U84B+FLan9k5TRM9zlxVjZfjQq:I/B13fjQq
Threatray	3'575 similar samples on MalwareBazaar
TLSH	T1E675CF15E3A811E8D42BC634CA619633E6B179561B21B4CF0B99E3452F73EE26B7F301
TrID	47.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 35.2% (.EXE) InstallShield setup (43053/19/16) 8.6% (.EXE) Win64 Executable (generic) (10523/12/4) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
File icon (PE):
dhash icon	7cf6b6aa8ed0e8b4 (18 x Formbook, 3 x SnakeKeylogger, 2 x NanoCore)
Reporter	abuse_ch
Tags:	exe FormBook signed

Code Signing Certificate

Organisation:	Microsoft Code Signing PCA 2011
Issuer:	Microsoft Code Signing PCA 2011
Algorithm:	sha256WithRSAEncryption
Valid from:	2024-09-19T06:22:43Z
Valid to:	2025-09-19T06:22:43Z
Serial number:	1ccea94ebbfbf04721e7cdba6e184dd9
Thumbprint Algorithm:	SHA256
Thumbprint:	0f0691436e3de9e079c7adcf4d6fa538217ab742e144127111a535ceae48bb42
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

374

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Specification and Quantity Pdf.7z

Verdict:

No threats detected

Analysis date:

2024-09-19 11:21:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/92ca331f-31c9-4d03-9a59-687ef319bbde

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Dropper.Jacard-9878052-0

Win.Dropper.Formbook-9917440-0

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66ec08a977496a3b0d6ef0d9

Tags:

Encryption Execution Network Static Stealth Dropped Monitor

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a recently created process

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint hacktool keylogger lolbin microsoft_visual_cc overlay packed regedit shell32 snake

Link:

https://www.filescan.io/uploads/66f03697bb9fe02b41b56867/reports/5fd1237f-272e-4cdb-9b06-03b7ae1cf708/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/219a330b7ae9807411d289f28169861fc748f50212ae2317278bfe155d89990f

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/f70240f2-ae83-4720-adef-c7aa92d03a8b

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1515401

Signature

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected FormBook malware

Drops PE files to the user root directory

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Sigma detected: Steal Google chrome login data

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/219a330b7ae9807411d289f28169861fc748f50212ae2317278bfe155d89990f

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/219a330b7ae9807411d289f28169861fc748f50212ae2317278bfe155d89990f/

Threat name:

Win64.Backdoor.FormBook

Status:

Malicious

First seen:

2024-09-19 11:18:17 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=egndgc325gahieosrhzic2mgd7dur5icckxcgfzhrp7bkxmjtehq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2decfbf08f426be7ac5e3b7f9d15b487c1b37232e9aa194ae332a992243bec4f

Formbook

3c9bf33caa6aa11b1c87c50e1f0ae212744089508829a898bf7d9e7a3720d751

Formbook

619785d76ee2055a1aca904e2a3e7fb2db9682b99602f7537ab8cd8ade9551da

Formbook

c8500adf5318aa42e5cfe9d6efe18d328538a6d8b36765d68820d2b99c3c9626

Formbook

cd0dd222c7ba110e49ecd0aece6fa2915b5a126fed2fcdae12e114106688bee0

Formbook

ea5cca67b84c377c1c50e3e978fa2bcf6d178e8ce9cb23971c3304359b23e435

Formbook

facc6e911089bda494f8266b25d3a9b932494aac786f6fb3efb132f00db3aa29

Formbook

+ 3'565 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:n7ak credential_access discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/240922-ss2flawekb/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Command and Scripting Interpreter: PowerShell

Credentials from Password Stores: Credentials from Web Browsers

Formbook payload

Formbook

Verdict:

Malicious

Tags:

formbook

YARA:

n/a

Link:

https://app.threat.zone/submission/bb099f18-ae79-4f84-b123-dbe1e6c997ac

Unpacked files

SH256 hash:

219a330b7ae9807411d289f28169861fc748f50212ae2317278bfe155d89990f

MD5 hash:

686fed0af9eebb2581701d4e08e9ff0b

SHA1 hash:

3c9f400ba8c6fe7f35f20bca09e59d3bb8169035

Link:

https://www.unpac.me/results/a204f42d-6af6-44d5-998d-3e42ce4a6142/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/219a330b7ae9807411d289f28169861fc748f50212ae2317278bfe155d89990f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	Detect_APT29_WINELOADER_Backdoor Create hunting rule
Author:	daniyyell
Description:	Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:	https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	Jupyter_infostealer Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::OpenProcessToken KERNEL32.dll::OpenProcess KERNEL32.dll::VirtualAllocExNuma KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThreadpoolIo KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::FreeConsole KERNEL32.dll::GetConsoleWindow KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_API	Can Encrypt Files	bcrypt.dll::BCryptDestroyKey bcrypt.dll::BCryptGenerateSymmetricKey bcrypt.dll::BCryptGenRandom bcrypt.dll::BCryptOpenAlgorithmProvider bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample