MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48651fcaf687d844bf32deb03c419c63e52f295739c4c0dbed2035290f75c2bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48651fcaf687d844bf32deb03c419c63e52f295739c4c0dbed2035290f75c2bf
SHA3-384 hash: 8f1a03d1861cd94225406ac70d21c83c7e00c780ee8c6e05dfef5d2bd1d4cbd6f3988bae6a6917cf5fe933f47acd740d
SHA1 hash: 167993882dd1617b2b53b1daabad25bccc827448
MD5 hash: 4b172871150d7074e7738bca40df8ef5
humanhash: beryllium-idaho-gee-summer
File name:INVOICE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:715'776 bytes
First seen:2023-11-03 07:57:42 UTC
Last seen:2023-11-03 09:19:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:JifONZ2DqTMyMbDHrRO5tPwEoiouXbkXHaex26wB4szThbsFxgr8XP7hX:eOvx3GrRcJXGx24szFOxgrajh
Threatray 999 similar samples on MalwareBazaar
TLSH T1CCE4E10476AA5F93C5BF83F60661A41017F56CAF1428E32A9DC2B0DE1676F130A95F3B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 70f8eee0d8cc69b2 (8 x SnakeKeylogger, 5 x Formbook, 5 x DarkTortilla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
280
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
INVOICE.exe
Verdict:
Malicious activity
Analysis date:
2023-11-03 08:37:51 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/669d7b30-f9ef-44a4-b3d3-6b98b9969582

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/457970/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6544a815a6fa5eab936e4add/reports/7cb9abc2-1b62-4d1f-8467-42dbed4d43bb/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/48651fcaf687d844bf32deb03c419c63e52f295739c4c0dbed2035290f75c2bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88c3d187-4b87-4b8d-a112-61f1721d6827
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1336602
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1336602 Sample: INVOICE.exe Startdate: 03/11/2023 Architecture: WINDOWS Score: 100 54 www.solusiphone.com 2->54 56 www.jonoobsharq.com 2->56 58 10 other IPs or domains 2->58 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for URL or domain 2->76 78 9 other signatures 2->78 10 INVOICE.exe 6 2->10         started        14 sXmySA.exe 5 2->14         started        signatures3 process4 file5 50 C:\Users\user\AppData\Roaming\sXmySA.exe, PE32 10->50 dropped 52 C:\Users\user\AppData\Local\...\tmp80D1.tmp, XML 10->52 dropped 88 Uses schtasks.exe or at.exe to add and modify task schedules 10->88 90 Adds a directory exclusion to Windows Defender 10->90 92 Injects a PE file into a foreign processes 10->92 16 INVOICE.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        94 Multi AV Scanner detection for dropped file 14->94 96 Machine Learning detection for dropped file 14->96 25 schtasks.exe 14->25         started        27 sXmySA.exe 14->27         started        signatures6 process7 signatures8 66 Maps a DLL or memory area into another process 16->66 68 Sample uses process hollowing technique 16->68 70 Queues an APC in another process (thread injection) 16->70 29 jTlBsBEiZScSoYuOY.exe 16->29 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        process9 process10 39 systray.exe 13 29->39         started        signatures11 80 Tries to steal Mail credentials (via file / registry access) 39->80 82 Tries to harvest and steal browser information (history, passwords, etc) 39->82 84 Deletes itself after installation 39->84 86 4 other signatures 39->86 42 explorer.exe 39->42 injected 46 jTlBsBEiZScSoYuOY.exe 39->46 injected 48 firefox.exe 39->48         started        process12 dnsIp13 60 www.couturs.xyz 203.161.55.148, 80 VNPT-AS-VNVNPTCorpVN Malaysia 42->60 62 jonoobsharq.com 185.192.112.13, 49750, 49751, 49752 POLIR Iran (ISLAMIC Republic Of) 42->62 64 5 other IPs or domains 42->64 98 System process connects to network (likely due to code injection or exploit) 42->98 signatures14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/48651fcaf687d844bf32deb03c419c63e52f295739c4c0dbed2035290f75c2bf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48651fcaf687d844bf32deb03c419c63e52f295739c4c0dbed2035290f75c2bf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-01 03:26:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jbsr7sxwq7mejpzs32ydyqm4mpss6kkxhhcmbw7nea2ssd3vyk7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
27248f79eaa74db336b298f99edbcf84ba2f938cb9056253eeb4f0f8b31a4e48
Formbook
4a0717822fdb16a4e467b0c6737bebcaa7e81ea751da1191703de6f7f91276de
Formbook
84b98954dbed9b7e46fa6740f3352352b1f7a0d2200b2f42c2e319b6bcb2c208
Formbook
99748c64e8ad4e2f8877b76cda4e7a8c3ddd4ad8290d18ea6e3dce09ddd92e9b
Formbook
bfb1e4ae02e8f53a6d2023eeda4399be5502b9ab99770c9c3e4bfde0548a459b
Formbook
f5aa5998a1ce5f16b177ba33712da9c3049fdb0c9ddedb1031dfd0233372ab1d
Formbook
f66b4cbcde98ac876118266f3b3456ef620d94f6cd99468cbd7d7d803e2edf6f
Formbook
fa89c3083bfde83eb9d216c5e303d1c1b1e21020501da5f7cfc1ff167cd2216b
Formbook
+ 989 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231103-jtvvrseb5x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
3b072890200b6e3bf7531d9c164b1ece8d3044239bf6729f25f1d04758c1cabb
MD5 hash:
72fe5d635f6ed235fa4d76675f0bb908
SHA1 hash:
f416e2dfcebd4432d1fb09a5150fe90c18bef594
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7fd6deaf-5343-4fa5-8e0c-43b79784f6c6/
Parent samples :
27248f79eaa74db336b298f99edbcf84ba2f938cb9056253eeb4f0f8b31a4e48
48651fcaf687d844bf32deb03c419c63e52f295739c4c0dbed2035290f75c2bf
SH256 hash:
44e40e1bf7c6cb88752a1296363dc53fb341276acfd716805150bce42a229609
MD5 hash:
ad71cba75e81bfc510f91c18e58597c6
SHA1 hash:
223bf210239efa28c0922326e6321ddeb3ad1fa2
Link:
https://www.unpac.me/results/7fd6deaf-5343-4fa5-8e0c-43b79784f6c6/
SH256 hash:
1dcc2630a57a85ed362bccb7a130b957b1713acdd145f7399b6dd8c62955e8e0
MD5 hash:
8763642a17fce45aa4812017fa49cefa
SHA1 hash:
bcc969039730812b9d7501247b92f06a8779cf4a
Link:
https://www.unpac.me/results/7fd6deaf-5343-4fa5-8e0c-43b79784f6c6/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/7fd6deaf-5343-4fa5-8e0c-43b79784f6c6/
SH256 hash:
2ee12faaea4b86d7370d2326be1de59f76cd15e2eddf772837b16814d2e15d69
MD5 hash:
e1e8df720932fffc6e142a36e3e50705
SHA1 hash:
a43035b526fb5d701eed2e8d35265267d6b333c7
Link:
https://www.unpac.me/results/7fd6deaf-5343-4fa5-8e0c-43b79784f6c6/
SH256 hash:
48651fcaf687d844bf32deb03c419c63e52f295739c4c0dbed2035290f75c2bf
MD5 hash:
4b172871150d7074e7738bca40df8ef5
SHA1 hash:
167993882dd1617b2b53b1daabad25bccc827448
Link:
https://www.unpac.me/results/7fd6deaf-5343-4fa5-8e0c-43b79784f6c6/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/48651fcaf687/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48651fcaf687d844bf32deb03c419c63e52f295739c4c0dbed2035290f75c2bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 48651fcaf687d844bf32deb03c419c63e52f295739c4c0dbed2035290f75c2bf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/457970/

Comments