MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43ac733f64df5f18a72d1f36a3c5ae365f5cd791d855d72a9f887015bb71adb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43ac733f64df5f18a72d1f36a3c5ae365f5cd791d855d72a9f887015bb71adb7
SHA3-384 hash: f18c93cf36196673f49711e28be798e417d2da91d4d38bc43b94bd4c27037dd32f77d901efb26abf790592f92ee75813
SHA1 hash: 4bf78ccbcc0816bfd71757ce93d701f3e0a2a286
MD5 hash: 3ed6d3a7d0e595416a2d61d3955bb50c
humanhash: hotel-high-double-ohio
File name:RFQ-SP2351521-PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:700'416 bytes
First seen:2024-01-31 10:47:24 UTC
Last seen:2024-01-31 12:50:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:plhlfu8liC5ut1Jvr8j8qshDTA26rNu+mg6hSP2Xa36KbR+2k73NgmEpyY6PNfg6:A1Jvr8bshXDLg/33x+rTNgUPNowRaI
TLSH T115E423017536EBA4C17E67F86D589E1103B6FF46D00AE709BDE968D9ABF33010B41A93
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/473734/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2657.28781.12749.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65ba256316a447dc38006d2a/reports/822fc801-d9f3-4f02-b16d-455fa100027e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/43ac733f64df5f18a72d1f36a3c5ae365f5cd791d855d72a9f887015bb71adb7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6577694d-45df-459f-99ee-d258c2db3e63
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383946
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1383946 Sample: RFQ-SP2351521-PDF.exe Startdate: 31/01/2024 Architecture: WINDOWS Score: 100 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected PureLog Stealer 2->34 36 6 other signatures 2->36 9 RFQ-SP2351521-PDF.exe 3 2->9         started        process3 signatures4 42 Injects a PE file into a foreign processes 9->42 12 RFQ-SP2351521-PDF.exe 9->12         started        15 RFQ-SP2351521-PDF.exe 9->15         started        17 RFQ-SP2351521-PDF.exe 9->17         started        19 RFQ-SP2351521-PDF.exe 9->19         started        process5 signatures6 44 Maps a DLL or memory area into another process 12->44 21 CbGCyTvQGmHrTpwLkrJLIyQOXqeHk.exe 12->21 injected process7 process8 23 raserver.exe 21->23         started        signatures9 38 Maps a DLL or memory area into another process 23->38 40 Queues an APC in another process (thread injection) 23->40 26 explorer.exe 22 1 23->26 injected 28 CbGCyTvQGmHrTpwLkrJLIyQOXqeHk.exe 23->28 injected process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/43ac733f64df5f18a72d1f36a3c5ae365f5cd791d855d72a9f887015bb71adb7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43ac733f64df5f18a72d1f36a3c5ae365f5cd791d855d72a9f887015bb71adb7/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2024-01-31 03:24:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iowhgp3e35prrjznd43khrnogzpvzv4r3bk5oku7rbyblo3rvw3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240131-mv4e3scccp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
77991ac16397d3b18bbcf028677ca9313644a31e1892133af11071a580045d27
MD5 hash:
d1b4bb59fba006d9a48de990eb02c52c
SHA1 hash:
35dcd0d50dbd4618397cf23bddf0190055bd20ab
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
Parent samples :
cd1757d02e0105ab6ab8876f32671af2911d34f84fd437a68a3c5c6639e11725
43ac733f64df5f18a72d1f36a3c5ae365f5cd791d855d72a9f887015bb71adb7
SH256 hash:
1c1a210be7948e6db0d695e2fa91c96f0fe652cd20a0e72dcf872305c73bcfce
MD5 hash:
46ba5609ed416e8c1c0f714c003fe23f
SHA1 hash:
7abd1c8e8f66494e1fd2ec7c7b15c677fa0dda3a
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
SH256 hash:
d2cf3273461ffa1b29715828f358368312ae4f08a731f4e449a44f6dc50e26c5
MD5 hash:
df7936d5ea0c80f3003b445c7f8deb44
SHA1 hash:
b995b22e77a11cda256e84a01ccadb85451460ed
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
SH256 hash:
a7097659d0b8886c761709d7309bf378a7fbc7a325e2d1f4e7a1113698344f4f
MD5 hash:
d5c69b521525fc9e0ad51e65154c63aa
SHA1 hash:
9f9b885250ce857678b0941217f213d9f103f7e0
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
SH256 hash:
3014b859be7cafca84f61ab3398e0832d80175d76dc6ff4a45df7b2fef39dcaf
MD5 hash:
17cbde8bc5d57e164c1daa95d1b37d0b
SHA1 hash:
4856da540fd30d018fa511c9ce705871e1e2affa
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
SH256 hash:
39388587a3418169bacd5b0a3e98a81f94fe621ad42ffe56e1c2557764ddc129
MD5 hash:
6b9ee517d33d4c91ef55809a0d9732bb
SHA1 hash:
421481ff67a8913745426112943d79c910b6ff74
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
SH256 hash:
d257631109ca622bee12aa0b6c9774f387036d70bc75d1c3da2e5e0f9da6b133
MD5 hash:
d5052bfc2b2a47219eaed4fc6baa79a3
SHA1 hash:
f3841ce6fd90ec8afc6c818637665a88bf81ba12
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
SH256 hash:
bfb11854ad14c60d88365c7ae72e4ddffbf69993dcb4792c46b21a2d12628fdb
MD5 hash:
03e5b7a2645593d846ba62b8cbf23038
SHA1 hash:
bab88453bf1220f8b3e2c51552d33a8736449922
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
SH256 hash:
539c118d739bcdcb4dbe8ed6f23f7fc153a63f3c8b9465a7aa59093c47664f26
MD5 hash:
d4b7f87b7bd9488ad25263ca3380d197
SHA1 hash:
a9590587096284c8a70adf1911b43788979f9032
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
SH256 hash:
72b2d45ee913442b6c8e0eb442fb56d335ebfe6bcebcb9d8488fead7dcfb5491
MD5 hash:
1a9336ce9953827231651b09f1b4c040
SHA1 hash:
975f9d80b014b2c99168b4bb8ad357f82c2a86fc
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
SH256 hash:
085a362c443aa3564057074687aa6e5f0e5a8107bfae24b23b85d3c2fda65fb8
MD5 hash:
8eb31c81629b6643b2f45302eee33753
SHA1 hash:
93cee9a6861f401289aa97ebd5773eb2752d76b3
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
SH256 hash:
d512a142cf594947606057e6e16f952a5369a76858f3dea5ebad0ca4ef20cc97
MD5 hash:
5c525115e7ea19b1413fec064d38f2ac
SHA1 hash:
50f286da4a4b09241a31782a61141d8817ae3f1f
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
SH256 hash:
43ac733f64df5f18a72d1f36a3c5ae365f5cd791d855d72a9f887015bb71adb7
MD5 hash:
3ed6d3a7d0e595416a2d61d3955bb50c
SHA1 hash:
4bf78ccbcc0816bfd71757ce93d701f3e0a2a286
Link:
https://www.unpac.me/results/73bcb221-cdf4-4078-9e9c-ab1ddc24eec0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43ac733f64df5f18a72d1f36a3c5ae365f5cd791d855d72a9f887015bb71adb7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 43ac733f64df5f18a72d1f36a3c5ae365f5cd791d855d72a9f887015bb71adb7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/473734/

Comments