MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28e94d28c0ef766cff0b765f103a336c4d7657460cb1e811b1a16e12c645401d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28e94d28c0ef766cff0b765f103a336c4d7657460cb1e811b1a16e12c645401d
SHA3-384 hash: 3da207198dd10c064653c38ae99b13ec80a6c71b43a77ee903ecfaaa729414a266f5f99b2afd13b4ac9b41488c24ec8e
SHA1 hash: b9a11d2d4fdf5310ff692942ed7d7856574af83b
MD5 hash: bbff23df16433c89c140a0f6c5d3541e
humanhash: monkey-oscar-jupiter-potato
File name:INQ No.KP-50-000-PS-IN-INQ-0027.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:773'128 bytes
First seen:2024-04-22 16:32:32 UTC
Last seen:2024-04-22 17:26:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:lEHUeFWMMvqdFzdMviIbG5zQYFlzyMi3oz3NtTCyYLhrhZjIqZAfM4hzn9qbkR:K04MvOpdMvR8zxzzfieZCyY9lZjjZF4z
TLSH T1AEF41258767FAF11DA3D43B444128A6043F1A5B7A272E30B4FC2A4D60D63BD08D91FAB
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon c6fab0b692aab282 (4 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
348
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/66269142d2fc149e4118bb36/reports/cf2457de-fb59-4760-8a75-082a43643000/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/28e94d28c0ef766cff0b765f103a336c4d7657460cb1e811b1a16e12c645401d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/226870b4-9f6f-49a4-aa93-c41b1cba75c4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1429835
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429835 Sample: INQ No.KP-50-000-PS-IN-INQ-... Startdate: 22/04/2024 Architecture: WINDOWS Score: 100 27 www.www60270.xyz 2->27 29 www.valentinaetommaso.it 2->29 31 20 other IPs or domains 2->31 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 55 4 other signatures 2->55 10 INQ No.KP-50-000-PS-IN-INQ-0027.exe 3 2->10         started        signatures3 53 Performs DNS queries to domains with low reputation 27->53 process4 process5 12 INQ No.KP-50-000-PS-IN-INQ-0027.exe 10->12         started        signatures6 59 Maps a DLL or memory area into another process 12->59 15 lOtkaHVzZHKJHoLyUnaYPrAILAf.exe 12->15 injected process7 signatures8 61 Found direct / indirect Syscall (likely to bypass EDR) 15->61 18 replace.exe 13 15->18         started        process9 signatures10 39 Tries to steal Mail credentials (via file / registry access) 18->39 41 Tries to harvest and steal browser information (history, passwords, etc) 18->41 43 Modifies the context of a thread in another process (thread injection) 18->43 45 2 other signatures 18->45 21 lOtkaHVzZHKJHoLyUnaYPrAILAf.exe 18->21 injected 25 firefox.exe 18->25         started        process11 dnsIp12 33 www.fairmarty.top 203.161.46.103, 49736, 49737, 49738 VNPT-AS-VNVNPTCorpVN Malaysia 21->33 35 aprovapapafox.com 162.240.81.18, 49744, 49745, 49746 UNIFIEDLAYER-AS-1US United States 21->35 37 10 other IPs or domains 21->37 57 Found direct / indirect Syscall (likely to bypass EDR) 21->57 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/28e94d28c0ef766cff0b765f103a336c4d7657460cb1e811b1a16e12c645401d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28e94d28c0ef766cff0b765f103a336c4d7657460cb1e811b1a16e12c645401d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-04-22 06:31:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fduu2kga553gz7ylozpraortnrgxmv2gbsy6qenrufxbfrsfiaoq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240422-t2kd4sdd87/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
5a2e2086d5d8e5cdff76eee77768850a4c5d61de4ba421ddb0de99aa519b0ee1
MD5 hash:
ca0a9b4e0d418b2f684462250dc5072d
SHA1 hash:
e8c5ffbae73d7d07953184a3bfe7889269da99af
Link:
https://www.unpac.me/results/6cae4980-bd72-4b6c-8c07-ee2029d71c0f/
SH256 hash:
f0e65bf293dcce196162c676486073a745f072db86e553e73c2e73404dacd1c0
MD5 hash:
15abc10dff1a7ab6eddea2d73f4ac80c
SHA1 hash:
c1d1bdee4577a5d95d4c4524ae922a6ba756f846
Link:
https://www.unpac.me/results/6cae4980-bd72-4b6c-8c07-ee2029d71c0f/
SH256 hash:
f69213304b5447ff9ad136eb2141a58b3976b3810f14b1c57ac0c0e0bcb926e4
MD5 hash:
ddbf83e6299647a672c7c7ae108b998f
SHA1 hash:
6cc0e4cf501825d9fb1277e0a8949f3a3310759e
Link:
https://www.unpac.me/results/6cae4980-bd72-4b6c-8c07-ee2029d71c0f/
SH256 hash:
9cd835171ce80ff8a752a2067161616a827b9683393217093c1199ddbc3d7252
MD5 hash:
ad5ca3b7a0cd21e1c1e21dc0e7d5c974
SHA1 hash:
691c5baf16d7b97829b056f389774c08d3542cdc
Link:
https://www.unpac.me/results/6cae4980-bd72-4b6c-8c07-ee2029d71c0f/
SH256 hash:
65c8264068733cd07d3bd64eb76095ce39d814a99a998d53ce22807d67c6bb43
MD5 hash:
6d07b486cf6b20af8b688902576c8604
SHA1 hash:
677f2f9da455f3a374ff6615d96a235596306468
Link:
https://www.unpac.me/results/6cae4980-bd72-4b6c-8c07-ee2029d71c0f/
SH256 hash:
28e94d28c0ef766cff0b765f103a336c4d7657460cb1e811b1a16e12c645401d
MD5 hash:
bbff23df16433c89c140a0f6c5d3541e
SHA1 hash:
b9a11d2d4fdf5310ff692942ed7d7856574af83b
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/6cae4980-bd72-4b6c-8c07-ee2029d71c0f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/28e94d28c0ef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 28e94d28c0ef766cff0b765f103a336c4d7657460cb1e811b1a16e12c645401d

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments