MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 326165a2f6e94ec16dfcead4602ded488925b4d4bd32b04458bf2416cdf9b93a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 326165a2f6e94ec16dfcead4602ded488925b4d4bd32b04458bf2416cdf9b93a
SHA3-384 hash: d2cb0ac7444c443acbbec8ee490c8b5b963b65885b5ddca450a8a3b8d3e6e43c6bb66a2806d7a70df027d3b41d72286c
SHA1 hash: 7f0434e457e9d12ba998067c0e50b523fbfecebf
MD5 hash: 4205220a21e6f8478532fe05668312ab
humanhash: alpha-five-quiet-illinois
File name:Product enquiry PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:751'616 bytes
First seen:2023-04-03 12:29:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:y5CBWKdq1FbwwJLwrIe4Ghh/kVkU5S2QR1DlRftxL2S8KSvF1/8aJqxmkivs:9frpP4kB2QRtLf8pv8evs
Threatray 2'642 similar samples on MalwareBazaar
TLSH T155F42315331CE335C92683FB1422A52967FAEA277453E33E4CE86CEF9C2AB544A54D07
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Product enquiry PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-04-03 12:34:30 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/14ae4f89-fcf3-44a7-a466-24105c40d404

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/379630/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642ac6d2ed00d3450f74bcc3/reports/48ed37cf-6233-481d-888a-4fa7772aeb11/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/326165a2f6e94ec16dfcead4602ded488925b4d4bd32b04458bf2416cdf9b93a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95ce84eb-f845-42f8-9596-619eddf09c5c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207031
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 839946 Sample: Product_enquiry_PDF.exe Startdate: 03/04/2023 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 Sigma detected: Scheduled temp file as task from temp location 2->75 77 6 other signatures 2->77 10 Product_enquiry_PDF.exe 7 2->10         started        14 EDyfnFUFZ.exe 5 2->14         started        process3 file4 49 C:\Users\user\AppData\RoamingDyfnFUFZ.exe, PE32 10->49 dropped 51 C:\Users\...DyfnFUFZ.exe:Zone.Identifier, ASCII 10->51 dropped 53 C:\Users\user\AppData\Local\...\tmpDF96.tmp, XML 10->53 dropped 55 C:\Users\user\...\Product_enquiry_PDF.exe.log, ASCII 10->55 dropped 85 Uses schtasks.exe or at.exe to add and modify task schedules 10->85 87 Adds a directory exclusion to Windows Defender 10->87 16 RegSvcs.exe 10->16         started        19 powershell.exe 21 10->19         started        21 schtasks.exe 1 10->21         started        89 Multi AV Scanner detection for dropped file 14->89 91 Machine Learning detection for dropped file 14->91 23 RegSvcs.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures5 process6 signatures7 63 Modifies the context of a thread in another process (thread injection) 16->63 65 Maps a DLL or memory area into another process 16->65 67 Sample uses process hollowing technique 16->67 69 2 other signatures 16->69 27 explorer.exe 2 6 16->27 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 25->35         started        process8 dnsIp9 57 www.basisbola.com 156.250.64.142, 49707, 80 COMING-ASABCDEGROUPCOMPANYLIMITEDHK Seychelles 27->57 59 www.smileagainworld.com 27->59 61 2 other IPs or domains 27->61 93 System process connects to network (likely due to code injection or exploit) 27->93 37 cmmon32.exe 27->37         started        40 autochk.exe 27->40         started        42 cmd.exe 27->42         started        signatures10 process11 signatures12 79 Modifies the context of a thread in another process (thread injection) 37->79 81 Maps a DLL or memory area into another process 37->81 83 Tries to detect virtualization through RDTSC time measurements 37->83 44 cmd.exe 1 37->44         started        process13 signatures14 95 Tries to detect virtualization through RDTSC time measurements 44->95 47 conhost.exe 44->47         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/326165a2f6e94ec16dfcead4602ded488925b4d4bd32b04458bf2416cdf9b93a/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-04-03 09:54:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjqwlixw5fhmc3p45lkgalpnjceslnguxuzlarcyx4sbntpzxe5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1035c0af69138d45af1e8a10682c5fe707ac7e4334ea1517744da7ac67dad711
Formbook
1f4ba3e37b0bb7a99563ad72e2314d7b3d1a0af6810576c2155facff5cda4944
Formbook
653acedbfd1cc43d370d69f63265a58ac180689929c376ffa72fa0d3410b4cca
Formbook
6878e66635507e66a07e77bfce182941bb31354badbcee2cc1a013d29f4ccdce
Formbook
68d4adb3846e92a85cef8d51f130b2cb8631ce5e7395fc9cd18dfcffe40a5271
Formbook
9c9e8b1e8e1abce02b30be300191b7424c10e0bec236fd9000e5b641c9ffc8ae
Formbook
af6fb4c1ccf63b051ee34879d049105a0cc2226cb6f0f03c2d1efa7a67c62a16
Formbook
b6a43c7e7e920c85e8d0228a483f4f06173c89a512f32ff0f36de6da64411d46
Formbook
d1a3a5f08d4e2b628880dc9982113a3c502ac26d377b0e7aa527cae7fe67a2d5
Formbook
f218cb48273b179ab9c039a0422797a4f1a567cf893c12ce3e6d8b5bc0932b0c
Formbook
+ 2'632 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:d23e rat spyware stealer trojan
Link:
https://tria.ge/reports/230403-pphmjagc3w/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
f2e246ce0ef109aa7da63c4b6262ff5104d8e9d14df5b8c0603a0a5ef59f9e1f
MD5 hash:
7de556f222f1cc47273c93112814f195
SHA1 hash:
f57bed4c5e79ab5ca4e025f69d72ac9490b8524e
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/8446c1c8-50af-4476-99b5-8e3498e49a60/
Parent samples :
326165a2f6e94ec16dfcead4602ded488925b4d4bd32b04458bf2416cdf9b93a
d7fb90a1b438f34eb157d31442167e611c5517027bd52bb2fe9688fa44879757
SH256 hash:
9a182866ce18f1d4c05716d39626148366f3662b72ddd3f3058a6c7585891a55
MD5 hash:
4c19299db9edda2c85e580298b919f0e
SHA1 hash:
9a1609891c0c95f0cc3b397ad8fcad709b3440d2
Link:
https://www.unpac.me/results/8446c1c8-50af-4476-99b5-8e3498e49a60/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/8446c1c8-50af-4476-99b5-8e3498e49a60/
SH256 hash:
cf4f953393139f5eabe84d9e361a1040766a50870b58b688e522263f9334ad26
MD5 hash:
4779953271e0df3ab1c9ddae9f454ea4
SHA1 hash:
4b91f246bc1a98e6ad1491aa514c8b5f2ba1941c
Link:
https://www.unpac.me/results/8446c1c8-50af-4476-99b5-8e3498e49a60/
SH256 hash:
bf54b5cdef182331539a3d8227157961f2ca4d8320d054a6737b261eceaf59c5
MD5 hash:
6d28eee35178ffbaf4590c39043b43bc
SHA1 hash:
0ba3b274ce74484d896539283d2865fb19e50c2c
Link:
https://www.unpac.me/results/8446c1c8-50af-4476-99b5-8e3498e49a60/
SH256 hash:
326165a2f6e94ec16dfcead4602ded488925b4d4bd32b04458bf2416cdf9b93a
MD5 hash:
4205220a21e6f8478532fe05668312ab
SHA1 hash:
7f0434e457e9d12ba998067c0e50b523fbfecebf
Link:
https://www.unpac.me/results/8446c1c8-50af-4476-99b5-8e3498e49a60/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/326165a2f6e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/326165a2f6e94ec16dfcead4602ded488925b4d4bd32b04458bf2416cdf9b93a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 326165a2f6e94ec16dfcead4602ded488925b4d4bd32b04458bf2416cdf9b93a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/379630/

Comments