MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44ba196d26ded5256953332dbcf8f1e4eef73522687836158ec13065917bb36c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44ba196d26ded5256953332dbcf8f1e4eef73522687836158ec13065917bb36c
SHA3-384 hash: a403fd662cfcae903973088fe88f23fad10a490e29ece6657c482eaad5c4b8d1dc4cc7a8bbd04fafbfe9ec8710ea700d
SHA1 hash: 54a15bf9a43476771aad3c39a10be7ec14968f1d
MD5 hash: d45cc3a4b1fef116e3ccb5f432cac245
humanhash: mango-lake-eleven-dakota
File name:invoice.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:944'640 bytes
First seen:2022-05-23 19:05:11 UTC
Last seen:2022-05-24 07:23:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:KnG2iN4d+OWLOKw+MxtfcEiGaIFOfvVntoCawX6cGo7xAactQeOcZGxLNjSAs2UP:d1dOWPMXACgqCDKFHttZcLxS5kyl
TLSH T19A151221B2F49B8EE8BD8BF4897056A027727D5E7460DA5F8C8674CD3931B858780F63
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
invoice.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-05-23 19:18:43 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/cc0923d5-4efd-47b3-9389-96041dc4c56a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273847/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed racealer
Link:
https://www.filescan.io/uploads/628bdafb3223462f89dde471/reports/83a57ecd-075a-4f60-80fc-f983750e6f6d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fdb1b32f-0a4f-4ba7-bd59-154265654168
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000158
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/44ba196d26ded5256953332dbcf8f1e4eef73522687836158ec13065917bb36c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 17:11:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
58
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=is5bs3jg33ksk2ktgmw3z6hr4txponjcnb4dmfmoyeyglel3wnwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:lt17 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220523-xr23ysfdhm/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
df8ff13e8c45ccf46d4ca18d41ca3388b458412f42ec57e98b8e8001b8154c7c
MD5 hash:
9a3170e3532966ea76da633dc7fcb858
SHA1 hash:
f63f12ec183db0f652f5ea6af251b59a46e2120d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e5b5d0e9-e0a4-42d2-bb3f-052c70c96271/
Parent samples :
58dc8fe3046450ddf0e00d1076440c4357f46a6829c41b85f8aa0345d51887c7
107d68c6296491ef2507347077005737d0c8f39f9c2695282c90bf61baf67d84
44ba196d26ded5256953332dbcf8f1e4eef73522687836158ec13065917bb36c
SH256 hash:
358667f20f2145ceaf372f72e1ab26a076c4e63a079f132b9f0382b927e44c23
MD5 hash:
0293f950bf94e8abfd6346b393b51926
SHA1 hash:
cfd50833eb87056c93a12394d7c8ef47ea43adae
Link:
https://www.unpac.me/results/e5b5d0e9-e0a4-42d2-bb3f-052c70c96271/
SH256 hash:
fdd10fb67e6276b3d848c92d4686f56b2ecbea1d629795a241ca6306a2f62d55
MD5 hash:
f20fd214bbda1a459a3eb415eec86017
SHA1 hash:
c658f61e4f308a69a4509649439814166c655e84
Link:
https://www.unpac.me/results/e5b5d0e9-e0a4-42d2-bb3f-052c70c96271/
SH256 hash:
3ccf62991ac8ae2d178e665d6718c974ebe45e4c3864c274ec8284f7900139d1
MD5 hash:
73cdcd73736f225bfe54789b52b1e904
SHA1 hash:
c65832ca96467c761ec6b2f31a8c83471e97fb45
Link:
https://www.unpac.me/results/e5b5d0e9-e0a4-42d2-bb3f-052c70c96271/
SH256 hash:
8487ac0466a0187dee3ef394d43501c3c71f527b2664246324d7205809f3d078
MD5 hash:
8c116b9145f5a075150e4c1dbcc69c61
SHA1 hash:
03a4ec0a8faa17b1c0bf8cd760c993397d4f2a67
Link:
https://www.unpac.me/results/e5b5d0e9-e0a4-42d2-bb3f-052c70c96271/
SH256 hash:
44ba196d26ded5256953332dbcf8f1e4eef73522687836158ec13065917bb36c
MD5 hash:
d45cc3a4b1fef116e3ccb5f432cac245
SHA1 hash:
54a15bf9a43476771aad3c39a10be7ec14968f1d
Link:
https://www.unpac.me/results/e5b5d0e9-e0a4-42d2-bb3f-052c70c96271/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/44ba196d26de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44ba196d26ded5256953332dbcf8f1e4eef73522687836158ec13065917bb36c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 44ba196d26ded5256953332dbcf8f1e4eef73522687836158ec13065917bb36c

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/273847/

Comments