MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b8124423be6af37ad74816af0d1df049bc6d740117e934947b067d5fa61eb0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b8124423be6af37ad74816af0d1df049bc6d740117e934947b067d5fa61eb0b
SHA3-384 hash: 09dd5a96e444f4b9d6997cbaf2211aeacd70a029c5e50517de6836c1fbcd0e9306cd255035dfd49ea17a3cb485a629ec
SHA1 hash: d94d89ceb8d16d84b868f3b90398f986b84b7b93
MD5 hash: 55a1b24b20dcc97c9a12ea2617059725
humanhash: wolfram-six-magazine-emma
File name:purchase order #202204233111.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:566'272 bytes
First seen:2022-04-22 05:30:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:HfL6SNHjifEMeY19SRBadXalpKywzUNhScJDgBuIUIgX0QlstY+AYtv/h:/eSNmwY19SitUFwzUNUDEXvatY+Bdh
Threatray 14'606 similar samples on MalwareBazaar
TLSH T13CC412217760C2A2C4BDBB3624E1404793F5D5231A1CA65D2EB7A2F77AA1390534FB8F
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265620/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.7707.9543.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed pos replace.exe
Link:
https://www.filescan.io/uploads/62623dab482f2f41cae57c9e/reports/f5bb4444-95c7-4a87-9e14-9017a529c187/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/786329ba-513a-4b4d-b7a1-b9560c4ee46b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981123
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicious Double Extension
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 613609 Sample: purchase order #20220423311... Startdate: 22/04/2022 Architecture: WINDOWS Score: 100 43 www.hancydesigngroup.com 2->43 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 14 other signatures 2->53 11 purchase order #202204233111.pdf.exe 7 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\ivXAcygNlthou.exe, PE32 11->37 dropped 39 C:\Users\user\AppData\Local\...\tmpA6EB.tmp, XML 11->39 dropped 41 purchase order #202204233111.pdf.exe.log, ASCII 11->41 dropped 57 Adds a directory exclusion to Windows Defender 11->57 15 purchase order #202204233111.pdf.exe 11->15         started        18 powershell.exe 25 11->18         started        20 schtasks.exe 1 11->20         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 22 explorer.exe 15->22 injected 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process9 dnsIp10 45 www.terra-station-walet.store 22->45 55 System process connects to network (likely due to code injection or exploit) 22->55 30 systray.exe 22->30         started        signatures11 process12 signatures13 59 Self deletion via cmd delete 30->59 61 Modifies the context of a thread in another process (thread injection) 30->61 63 Maps a DLL or memory area into another process 30->63 65 Tries to detect virtualization through RDTSC time measurements 30->65 33 cmd.exe 1 30->33         started        process14 process15 35 conhost.exe 33->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b8124423be6af37ad74816af0d1df049bc6d740117e934947b067d5fa61eb0b/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-04-22 01:07:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
12 of 33 (36.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=loasiqr342xtplluqfvpbuo7asn4nv2acf7jgskhwbt5l6tb5mfq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0119c8252290ab1c092ee4ab1d9cd18502909207bf3368491b1448a8f7e14513
Formbook
1bfc4e45067f4f1fc583289ac5f8ab3bba6403443f51d18c8546adf58de68501
Formbook
20ceb4d62738b1472fd88b7ea5ca3d9b1774cf1fbef328f4b349e749c68fe0b1
Formbook
2ee32fd5fafe174b2fdfa8dfd614686e9d8bf0552ff8ee78a3a1460566619769
Formbook
756e345be599ee11b7749fdcf9d20f469700e46a33779c405fac4d3df8b0f8d0
Formbook
7b3be400d99b473afc9f2bdf46477b61736a71db20cd9d1137b0cab4d4aaeff9
Formbook
ffb2ebccfae79f8c1d5911d41e549a8f876a10708053a4f3a3dbc2ec0e04be48
Formbook
+ 14'596 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o27j rat spyware stealer trojan
Link:
https://tria.ge/reports/220422-f7pzwsahe9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook Payload
Formbook
Unpacked files
SH256 hash:
1e1f574adb1ccbb65908d2d875dfb767d5408385b3cbdbc56a2008586c81f88f
MD5 hash:
cace93ae67f2039a3838bc00a76bf36c
SHA1 hash:
b133f51c2106edcdf7d0fe412a0d2472d912d59b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c0532018-0a91-496d-bd26-8c4099222aa6/
Parent samples :
5b8124423be6af37ad74816af0d1df049bc6d740117e934947b067d5fa61eb0b
5a1bd7caffd2c2663dc81fe2a635472b1dbd781f0cdc51268e9cf6d5e6e8ab79
04e123cec63f36e0860b6917805f83fe0fedc68ea1e5645747936743e83f6fd3
SH256 hash:
696a1e27e37b62795afd77d6e11689199d4280fead94e14092ef6c2176553f6e
MD5 hash:
c00c6653143757e0f2b47fd8ed19d93a
SHA1 hash:
8fc86cc65037fd0570aba14f5b38327d71b7f428
Link:
https://www.unpac.me/results/c0532018-0a91-496d-bd26-8c4099222aa6/
SH256 hash:
1f9ea91f6a9648300ff6da97f760c456a83120950b35a6e1866794ee0d50b464
MD5 hash:
7e83205f0c6999b4ed8bb7d2ca403c69
SHA1 hash:
5d2d729446649ddea073ce27c26eca7c17836758
Link:
https://www.unpac.me/results/c0532018-0a91-496d-bd26-8c4099222aa6/
SH256 hash:
8e1b71477c489cbc954c8d54d08284f759ab2cd1b65050128ecbda9ebe16904d
MD5 hash:
b477c0f043954b457d5f0f91327ec606
SHA1 hash:
0db8774ef3e2b8245504f66a35afcf987ebdaaba
Link:
https://www.unpac.me/results/c0532018-0a91-496d-bd26-8c4099222aa6/
SH256 hash:
5b8124423be6af37ad74816af0d1df049bc6d740117e934947b067d5fa61eb0b
MD5 hash:
55a1b24b20dcc97c9a12ea2617059725
SHA1 hash:
d94d89ceb8d16d84b868f3b90398f986b84b7b93
Link:
https://www.unpac.me/results/c0532018-0a91-496d-bd26-8c4099222aa6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b8124423be6af37ad74816af0d1df049bc6d740117e934947b067d5fa61eb0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5b8124423be6af37ad74816af0d1df049bc6d740117e934947b067d5fa61eb0b

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/265620/

Comments