MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22da6798edf7ecbc018e132ff61dff54b38704226c0f4693e8981b112e69eafc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22da6798edf7ecbc018e132ff61dff54b38704226c0f4693e8981b112e69eafc
SHA3-384 hash: 7cb989d42bcbb72b3e9f128d104ac1626bba3a7965dd4636775c05f44f6256a039d7031d8cc0b6ae170e02247602a91c
SHA1 hash: 428f3ab10037c2c5e18356f9b72c8d95cd0548a6
MD5 hash: ed2fce4f08d4b4ebbc737100e1a9f656
humanhash: fourteen-whiskey-one-comet
File name:Purchase Order No.1364.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:641'024 bytes
First seen:2023-10-30 14:03:48 UTC
Last seen:2023-10-30 16:49:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:G8669yqLzvwX/MaKXMo8nby+dCTikUSBnf6WeBPgVBANPXeVUoKACYxhw1V:+6X3IXhKXM1NCTlpxCBPgVyNPXehKYxy
Threatray 18 similar samples on MalwareBazaar
TLSH T101D4224231AA6F01C77CE3B55AB2916463F64B298B33DB6D1DDC22CB49B3B5803A5743
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4c6a2202e223684 (12 x AgentTesla, 8 x Formbook, 2 x Loki)
Reporter cocaman
Tags:exe FormBook payment

Intelligence

File Origin
# of uploads :
3
# of downloads :
338
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Purchase Order No.1364.exe
Verdict:
Malicious activity
Analysis date:
2023-10-30 15:02:00 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/cf7b75dc-2358-4c42-a425-98917c3f2d4c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457117/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.26899.20975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/653fb7d4bc703e36b093a0ef/reports/e1681689-ea95-464b-95f4-cbe36b83fd6e/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/22da6798edf7ecbc018e132ff61dff54b38704226c0f4693e8981b112e69eafc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed4a5ce8-1d62-48d4-aa9e-806e074f8ac6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1334295
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1334295 Sample: Purchase_Order_No.1364.exe Startdate: 30/10/2023 Architecture: WINDOWS Score: 100 64 www.peedeecarcredit.com 2->64 66 www.miraculousstore.com 2->66 68 6 other IPs or domains 2->68 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 6 other signatures 2->78 10 Purchase_Order_No.1364.exe 7 2->10         started        14 YJCLStpmojN.exe 5 2->14         started        signatures3 process4 file5 54 C:\Users\user\AppData\...\YJCLStpmojN.exe, PE32 10->54 dropped 56 C:\Users\user\AppData\Local\...\tmp6480.tmp, XML 10->56 dropped 90 Uses schtasks.exe or at.exe to add and modify task schedules 10->90 92 Adds a directory exclusion to Windows Defender 10->92 16 Purchase_Order_No.1364.exe 10->16         started        19 powershell.exe 23 10->19         started        21 schtasks.exe 1 10->21         started        94 Multi AV Scanner detection for dropped file 14->94 23 YJCLStpmojN.exe 14->23         started        25 schtasks.exe 1 14->25         started        27 YJCLStpmojN.exe 14->27         started        signatures6 process7 signatures8 70 Maps a DLL or memory area into another process 16->70 29 hzfGSocIUsVFDgSkjCkQROv.exe 16->29 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 hzfGSocIUsVFDgSkjCkQROv.exe 23->35 injected 38 conhost.exe 25->38         started        process9 signatures10 40 cscript.exe 13 29->40         started        43 Magnify.exe 29->43         started        80 Maps a DLL or memory area into another process 35->80 45 cscript.exe 35->45         started        47 Magnify.exe 35->47         started        process11 signatures12 82 Tries to steal Mail credentials (via file / registry access) 40->82 84 Tries to harvest and steal browser information (history, passwords, etc) 40->84 86 Writes to foreign memory regions 40->86 88 3 other signatures 40->88 49 hzfGSocIUsVFDgSkjCkQROv.exe 40->49 injected 52 firefox.exe 40->52         started        process13 dnsIp14 58 www.d356.top 154.197.7.163, 80 YISUCLOUDLTD-AS-APYISUCLOUDLTDHK Seychelles 49->58 60 www.usxqe6.cfd 142.4.124.174, 49741, 49742, 49743 PEGTECHINCUS United States 49->60 62 4 other IPs or domains 49->62
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/22da6798edf7ecbc018e132ff61dff54b38704226c0f4693e8981b112e69eafc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22da6798edf7ecbc018e132ff61dff54b38704226c0f4693e8981b112e69eafc/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-10-30 11:05:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=elngpghn67wlyamocmx7mhp7kszyobbcnqhune7itanrcltj5l6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
037500eba0044c05416217ea9936c6b9f4d9ee9a0a05d2d7860245fffdd347b6
Formbook
073bd91e3126ffb49e91e35f401d096e6bc474b973d432f001e9df2fb62d7a42
Formbook
3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9
Formbook
7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae
Formbook
8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4
Formbook
bf9584e32236ebb05f71641930612dffee8a9029881c5ff3a4fc20cd246dadb8
Formbook
c7be1564aa359a6b4e5053520738086c66577fdf38fd773fe76cc5a34bd53e40
Formbook
d79a768e106b5c09d20e48704aeb15f5accea32c5e05d1693ff26f0d3a45374d
Formbook
e5d7a9b5347d9c624a68faad5129bbf34be4de53e91375cb4f74b97bc2175257
Formbook
e8a820b07074384be7c1ffd4f07a230ebce48a21f24a67ed1c0572a6570b2410
Formbook
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231030-rc9llafc35/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
3cf5244373ee8df75cd064504728ce3cafc7348a66c607b6736db849a2bd9e8d
MD5 hash:
1eb27fb8f23e1219d092e75909f3d141
SHA1 hash:
b591d10302be513f2a5280537cd3c2819504a6de
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7f1c6879-0a59-4154-9fa3-4dc15b14267b/
SH256 hash:
7b6cca1a9c079f7f76277d13db9e1dfed79a841d44b69ac93e174cc0c69cbcd6
MD5 hash:
a6cca21cdb4c1ef1a42b1627dbdc55f4
SHA1 hash:
bd95003d41e6e610a60d1c8cc3723e8434e16f03
Link:
https://www.unpac.me/results/7f1c6879-0a59-4154-9fa3-4dc15b14267b/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/7f1c6879-0a59-4154-9fa3-4dc15b14267b/
SH256 hash:
a311c67e0bb00a74da93860302adb22926bedbf253cccd412609e8865aaa3577
MD5 hash:
4d9a190baac47411916c5ea0c62ebe91
SHA1 hash:
c54bb84403c45557daa8ddfc23ab94b507b332b9
Link:
https://www.unpac.me/results/7f1c6879-0a59-4154-9fa3-4dc15b14267b/
SH256 hash:
e731bbf86517a1c2c8521a6c4bab1c01d93211367a3acb7835d4fb5f9b1cc001
MD5 hash:
41fd343b470a74bf1fd882b660154853
SHA1 hash:
691c9357edbe5ef60d5cfbc555432796b8bb5354
Link:
https://www.unpac.me/results/7f1c6879-0a59-4154-9fa3-4dc15b14267b/
SH256 hash:
21af1da66ba21fc40f2961b617093ec15974252b08cae9657effe8c017b86683
MD5 hash:
40ff176dd73d4de2a0dd29bc987b5efe
SHA1 hash:
f4ced7ec9179dfc50de7ea5c932491e67c6a1a3a
Link:
https://www.unpac.me/results/7f1c6879-0a59-4154-9fa3-4dc15b14267b/
SH256 hash:
35b13fa0cd5253e7e5995a548573ca84ebc01e5cd283625a1b3b2d060cae841b
MD5 hash:
6151edcc2c1947cefb9425cf99cb526b
SHA1 hash:
961277bf9af51c3972e47a0e6d540f6c0bc2aa69
Link:
https://www.unpac.me/results/7f1c6879-0a59-4154-9fa3-4dc15b14267b/
SH256 hash:
9a7fc071322ab7814d0fbd2b99b86b623eaa8ba5cf9f78ad440d21beb6acd92e
MD5 hash:
9591a84c18a19c3bfcb64c738b02338c
SHA1 hash:
688c5e5bb353630028131435050fd06a8b4498b8
Link:
https://www.unpac.me/results/7f1c6879-0a59-4154-9fa3-4dc15b14267b/
SH256 hash:
5eb78212b3ac91446f4b36c9a291c1f6537b20ba2dce9f5c691f41e9df0595bb
MD5 hash:
9ffbdefcdbd8512c04e048ee3e4d3d37
SHA1 hash:
4628d8fe848a87f9089bffc1372a0d039356ab39
Link:
https://www.unpac.me/results/7f1c6879-0a59-4154-9fa3-4dc15b14267b/
SH256 hash:
e4936139cb1b38bda7fad9b96e17fc13b5d9141a87e36fc6d3e3e50869bb45ba
MD5 hash:
b1056306548c7fbf98d7ef145d0a5957
SHA1 hash:
1ff1609312863531d3fee622c9cdd84dbe1ef615
Link:
https://www.unpac.me/results/7f1c6879-0a59-4154-9fa3-4dc15b14267b/
SH256 hash:
9f0780c5b2d4b203a4a0428da96448c3fbfd134b408419220a76f9ac8a5fd2bf
MD5 hash:
21375bef49e93315939bffe6cce416b0
SHA1 hash:
0a2e95668a63fcc40054e56a3aace49a57435b70
Link:
https://www.unpac.me/results/7f1c6879-0a59-4154-9fa3-4dc15b14267b/
SH256 hash:
22da6798edf7ecbc018e132ff61dff54b38704226c0f4693e8981b112e69eafc
MD5 hash:
ed2fce4f08d4b4ebbc737100e1a9f656
SHA1 hash:
428f3ab10037c2c5e18356f9b72c8d95cd0548a6
Link:
https://www.unpac.me/results/7f1c6879-0a59-4154-9fa3-4dc15b14267b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/22da6798edf7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22da6798edf7ecbc018e132ff61dff54b38704226c0f4693e8981b112e69eafc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 26e1993ab6da585a3826ae11ea56d87a587371f0d50ea64afaea843212dbfe17

Formbook

Executable exe 22da6798edf7ecbc018e132ff61dff54b38704226c0f4693e8981b112e69eafc

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 26e1993ab6da585a3826ae11ea56d87a587371f0d50ea64afaea843212dbfe17
Cape
Cape
https://www.capesandbox.com/analysis/457117/
  
Dropped by
SHA256 c81df87277f737b11645601a7f7f24c272bbc3b77936619460bc9c88e13662cd
  
Dropped by
MD5 3737598db903f0392c44b77883e66f14
  
Dropped by
MD5 a55f95295e6e4c9c262f6c2fe44a1649

Comments