MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f78b4eb3d5e54f28d596b74216dd4e01de5228f42841241423e8832a82d61e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 8 File information Comments

SHA256 hash:	4f78b4eb3d5e54f28d596b74216dd4e01de5228f42841241423e8832a82d61e7
SHA3-384 hash:	5b832c50c94e26c8f59fec5216ea315a67fb985821593aaba8868a64788c48d25e5e56c831b2d8b01d8457412cc9806d
SHA1 hash:	dbe9f608ceeb9495001ec114ef016d3079d79be0
MD5 hash:	710eae0a25d7e876215891cde7890d27
humanhash:	pasta-princess-saturn-sierra
File name:	SERVICE PURCHASE ORDER.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	711'688 bytes
First seen:	2024-10-07 13:36:57 UTC
Last seen:	2024-10-07 14:30:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:Bf0zCBL93ZfuUYKNRKjxskVtdV9Km2RYq5QnImD5Q6bQavwB+FFqIzV+0IikR:B/1VJq9bMJLFmu6UawMFFqoVTO
TLSH	T145E42392AB48EB00C3459F7002D3E15643B6A15A0CE8E767877B60E68DE3FF0959177B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

378

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

SERVICE PURCHASE ORDER.exe

Verdict:

Malicious activity

Analysis date:

2024-10-07 14:09:41 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/bf55c9af-4ff5-4f4e-9c21-0969c6c60ee4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Packed2.48125.27826.5805.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6703e404b932c04ee8fdd84a

Tags:

Powershell Injection Exploit Msil

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

invalid-signature masquerade overlay packed signed

Link:

https://www.filescan.io/uploads/6703e4314d903f1f7eeebf32/reports/b8bc307d-3851-4c50-b16d-b3e6b42946bc/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/4f78b4eb3d5e54f28d596b74216dd4e01de5228f42841241423e8832a82d61e7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2ce19f40-1e12-4209-9a88-c2c9a89e8ef3

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1528104

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4f78b4eb3d5e54f28d596b74216dd4e01de5228f42841241423e8832a82d61e7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f78b4eb3d5e54f28d596b74216dd4e01de5228f42841241423e8832a82d61e7/

Threat name:

ByteCode-MSIL.Trojan.Injuke

Status:

Malicious

First seen:

2024-10-07 12:03:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j54lj2z5lzkpfdkznn2cc3ou4ao6kiupikcbeqkch2edfkbnmhtq._file

Verdict:

malicious

Label(s):

formbook

unknown_loader_037

Similar samples:

error

Formbook

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery execution

Link:

https://tria.ge/reports/241007-qwxwgaxglj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/aae4299e-2035-4b8d-b14c-97d650ee262b

Unpacked files

SH256 hash:

b23e9df035dda18686707b81d270c32470e2541c509c65604909ff62ab755d51

MD5 hash:

2f31392ddb86b4fdc16f591b3d6dda07

SHA1 hash:

11a87c0bcca21a6450666a210eede83f5e684e09

Link:

https://www.unpac.me/results/f0d2b4f6-795f-424e-9844-7a54709c32b3/

SH256 hash:

3c9936d2ce613f75217ea68e1fb42a70efa584881b973b19da40bac3b9dbcb34

MD5 hash:

f0afb5992968fcd72f8a05a8f4239ce2

SHA1 hash:

4e8e2e65e3661f349ab68bacea2621cb73220f0b

Link:

https://www.unpac.me/results/f0d2b4f6-795f-424e-9844-7a54709c32b3/

SH256 hash:

d7f4c2222c2a00bb8c448b173526e091744b0faade6c83f24611b8087d645efd

MD5 hash:

34f1338e33f2b1dee690177793c31896

SHA1 hash:

07a8260000f51aa5e5d4239534b8b3526bd02f86

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/f0d2b4f6-795f-424e-9844-7a54709c32b3/

SH256 hash:

682c261fcd08c676ef231f46eac1c054c8df17522846b9e4adbafb62e8482dab

MD5 hash:

5a6cead6de3340dd9e0b16d599e5d1f5

SHA1 hash:

00e25f93284ff0d2493c6df3a596891d0848399e

Link:

https://www.unpac.me/results/f0d2b4f6-795f-424e-9844-7a54709c32b3/

SH256 hash:

4f78b4eb3d5e54f28d596b74216dd4e01de5228f42841241423e8832a82d61e7

MD5 hash:

710eae0a25d7e876215891cde7890d27

SHA1 hash:

dbe9f608ceeb9495001ec114ef016d3079d79be0

Link:

https://www.unpac.me/results/f0d2b4f6-795f-424e-9844-7a54709c32b3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4f78b4eb3d5e54f28d596b74216dd4e01de5228f42841241423e8832a82d61e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 4f78b4eb3d5e54f28d596b74216dd4e01de5228f42841241423e8832a82d61e7

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample