MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9
SHA3-384 hash: af5a859601b3cc8978c556fd71c660f96e45ca05c911e0a8ba67d81bcf98ee8641f22c45129986465901ecfc30559ac8
SHA1 hash: ea2bc535baa5f3d9efae8df9a1928f557c72b863
MD5 hash: ba9aadaadc270f2311dc84a4c33c3a8e
humanhash: beryllium-pluto-low-mexico
File name:NUEVA ORDEN DE COMPRA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:830'976 bytes
First seen:2022-11-28 08:41:41 UTC
Last seen:2022-11-28 11:00:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:GkTDYsZ1DX/VDJtV7NuswRlClEl7xoDMvu/R9OPgpB0IOJc0:GyDYkMnoSLIMG/CPgT0Bc0
TLSH T14705F7CB1FE30E84FB1E3670188FD7441ED334A148B49CA65A715AE729035BBD6922ED
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
NUEVA ORDEN DE COMPRA.exe
Verdict:
Malicious activity
Analysis date:
2022-11-28 08:48:39 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/a2872aa6-6968-4cc8-813b-e1800aafdb48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/339337/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1617.27124.27865.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638474615be128ac718f3d25/reports/2234d744-ccb3-43cd-afaa-c7edb41e4761/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8035fc57-28ef-4e8b-9218-c40339b804e5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122361
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755079 Sample: NUEVA ORDEN DE COMPRA.exe Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 57 www.theminco.biz 2->57 59 theminco.biz 2->59 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 Sigma detected: Scheduled temp file as task from temp location 2->75 77 10 other signatures 2->77 11 NUEVA ORDEN DE COMPRA.exe 7 2->11         started        15 ZLEBiTF.exe 5 2->15         started        signatures3 process4 file5 49 C:\Users\user\AppData\Roaming\ZLEBiTF.exe, PE32 11->49 dropped 51 C:\Users\user\...\ZLEBiTF.exe:Zone.Identifier, ASCII 11->51 dropped 53 C:\Users\user\AppData\Local\...\tmp4DFF.tmp, XML 11->53 dropped 55 C:\Users\...55UEVA ORDEN DE COMPRA.exe.log, ASCII 11->55 dropped 85 Adds a directory exclusion to Windows Defender 11->85 17 RegSvcs.exe 11->17         started        20 powershell.exe 21 11->20         started        22 schtasks.exe 1 11->22         started        87 Multi AV Scanner detection for dropped file 15->87 89 Machine Learning detection for dropped file 15->89 24 RegSvcs.exe 15->24         started        26 schtasks.exe 1 15->26         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 17->63 65 Maps a DLL or memory area into another process 17->65 67 Sample uses process hollowing technique 17->67 69 2 other signatures 17->69 28 explorer.exe 17->28 injected 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 26->36         started        process9 dnsIp10 61 www.belifprint.com 107.186.210.162, 49719, 80 EGIHOSTINGUS United States 28->61 91 System process connects to network (likely due to code injection or exploit) 28->91 38 help.exe 28->38         started        41 wlanext.exe 28->41         started        43 autochk.exe 28->43         started        signatures11 process12 signatures13 79 Modifies the context of a thread in another process (thread injection) 38->79 81 Maps a DLL or memory area into another process 38->81 83 Tries to detect virtualization through RDTSC time measurements 38->83 45 cmd.exe 1 38->45         started        process14 process15 47 conhost.exe 45->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-23 14:56:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
26 of 41 (63.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iozgwdgfh2t56jei24hgkllx7pvmli7c3h5tobn4v5xd7ekswc4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:d0a7 rat spyware stealer trojan
Link:
https://tria.ge/reports/221128-kl1xgseg2v/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
8892eba2280a5329f01601f05660f2cf6378b26079c711918122e6254f56053e
MD5 hash:
95b0147ddcfb4c39c926719904d486b8
SHA1 hash:
8b29c6db7eefc6fc2bff55348d17c1ce98582c49
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/9f90820c-c6f6-496f-a901-22a595ba1dc5/
Parent samples :
986c2fabf6b43d085dc49c812cb8514d093c53ac4beccadf311fd8e8d34b8c0a
43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9
4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf
a16f1b224236623703e2d71d4abc9e6228c90b96776c6663892387325c8e6e90
SH256 hash:
299d375dcf9b12758b5893456c5d4ea25c0710391c6795fd4223e4055292cdc7
MD5 hash:
7d69cb41540c2e0a32820af18e80bc7d
SHA1 hash:
c575ce6267fcba561593c9517e6a654526ddf86b
Link:
https://www.unpac.me/results/9f90820c-c6f6-496f-a901-22a595ba1dc5/
SH256 hash:
00e235f40a9e794b9d6cb9fb9244e321a4e632951bdb809044b0e2af07b98d35
MD5 hash:
48c6f000da9a80f92b48ef6099fa8a37
SHA1 hash:
9b43df5e56005d1ee03f16ff02f26e76272aca7c
Link:
https://www.unpac.me/results/9f90820c-c6f6-496f-a901-22a595ba1dc5/
SH256 hash:
961223946becfc1e74dda18bbfdc4fda6fe2ebf1deb07c35e40aac9c6ef1a2f8
MD5 hash:
3fc32d115b40b4f583316f6db9cae013
SHA1 hash:
5461dea741bfb79030932489560930328ddadfe7
Link:
https://www.unpac.me/results/9f90820c-c6f6-496f-a901-22a595ba1dc5/
SH256 hash:
744928a56b4d36f17e73eea0534c5e99103d1553d5b0a864a6fd9d4f9899b47f
MD5 hash:
91fed5db1afcdf48e0cd6d4058a013ba
SHA1 hash:
3717b3346e25d3f66f00626ad1a771d8655f485f
Link:
https://www.unpac.me/results/9f90820c-c6f6-496f-a901-22a595ba1dc5/
SH256 hash:
43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9
MD5 hash:
ba9aadaadc270f2311dc84a4c33c3a8e
SHA1 hash:
ea2bc535baa5f3d9efae8df9a1928f557c72b863
Link:
https://www.unpac.me/results/9f90820c-c6f6-496f-a901-22a595ba1dc5/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/43b26b0cc53e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/339337/

Comments