MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60f8c4a0b8195562a53f3d4c8fbc885b606924a2a871185e13391f4a2e7cdec8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60f8c4a0b8195562a53f3d4c8fbc885b606924a2a871185e13391f4a2e7cdec8
SHA3-384 hash: cb9378e1cd4cc5ee847cfc2622f43572586179d45fe8367a2105b79080fc13e3b56705d4144f928bbd2e53d097cdc47c
SHA1 hash: 5e77835308aad11f138bf5a48f598588d6a48e9b
MD5 hash: b9af72889fa2f01829a3422a5afa27f3
humanhash: jig-asparagus-bacon-eight
File name:COMPUTATION DOC.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'282'048 bytes
First seen:2023-03-06 08:30:22 UTC
Last seen:2023-03-06 10:42:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:LAIBeJY7srsBkGgx0pRJa7pwhEzTRtmw7AJie8vZCQ:L2+gWCyJct5/7Yf
Threatray 2'497 similar samples on MalwareBazaar
TLSH T10C558C4072F8C156EDCF263C091C558E7D79AA07B562F11E9A7A36C2632B7F672CC182
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 2523232713252313 (1 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
COMPUTATION DOC.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 08:38:29 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/49b8bdf8-21d5-43bc-aa58-0b1ffd87e210

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371812/
Detection(s):
SecuriteInfo.com.Variant.Lazy.307114.24948.16112.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6405a4cb0e8ce4beca25ce1b/reports/769e9db2-eb3b-4bb4-b2a0-bd6df3eec11f/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/60f8c4a0b8195562a53f3d4c8fbc885b606924a2a871185e13391f4a2e7cdec8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9e3a13f-a88d-42b7-b9a4-7399ff63d6d1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187612
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820493 Sample: COMPUTATION_DOC.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 74 6 other signatures 2->74 10 COMPUTATION_DOC.exe 7 2->10         started        14 ZzBfLacVmWn.exe 5 2->14         started        process3 file4 46 C:\Users\user\AppData\...\ZzBfLacVmWn.exe, PE32 10->46 dropped 48 C:\Users\...\ZzBfLacVmWn.exe:Zone.Identifier, ASCII 10->48 dropped 50 C:\Users\user\AppData\Local\...\tmpCEEE.tmp, XML 10->50 dropped 52 C:\Users\user\...\COMPUTATION_DOC.exe.log, ASCII 10->52 dropped 82 Uses schtasks.exe or at.exe to add and modify task schedules 10->82 84 Adds a directory exclusion to Windows Defender 10->84 86 Tries to detect virtualization through RDTSC time measurements 10->86 16 COMPUTATION_DOC.exe 10->16         started        19 powershell.exe 17 10->19         started        21 schtasks.exe 1 10->21         started        88 Antivirus detection for dropped file 14->88 90 Multi AV Scanner detection for dropped file 14->90 92 Machine Learning detection for dropped file 14->92 23 ZzBfLacVmWn.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 16->60 62 Maps a DLL or memory area into another process 16->62 64 Sample uses process hollowing technique 16->64 66 Queues an APC in another process (thread injection) 16->66 27 explorer.exe 5 6 16->27 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 25->35         started        process8 dnsIp9 54 www.3039sjbqf2022.com 188.114.97.3, 49702, 80 CLOUDFLARENETUS European Union 27->54 56 www.midwestflowsproductions.net 27->56 58 www.7bw95.com 27->58 94 System process connects to network (likely due to code injection or exploit) 27->94 96 Uses ipconfig to lookup or modify the Windows network settings 27->96 37 ipconfig.exe 27->37         started        40 wlanext.exe 27->40         started        signatures10 process11 signatures12 76 Modifies the context of a thread in another process (thread injection) 37->76 78 Maps a DLL or memory area into another process 37->78 80 Tries to detect virtualization through RDTSC time measurements 37->80 42 cmd.exe 1 37->42         started        process13 process14 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60f8c4a0b8195562a53f3d4c8fbc885b606924a2a871185e13391f4a2e7cdec8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 02:29:54 UTC
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=md4mjifydfkwfjj7hvgi7peilnqgsjfcvbyrqxqthepuult433ea._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4
Formbook
10f07d893ce971191295d3c52b3a5c761b62edde3a50981cafb2ffc5fab72dab
Formbook
342215db36f2fa15a4b72d54cb4e7a7179462dcaab9dc9f791336df867d6d286
Formbook
40c9387d1982d53944fa9a527152ab7103457d7fb3b37865af98fe399641cf75
Formbook
5dc78112397a04a6b3cef6f63aa0c817e641cb4cefb8fd91958cdfed48d57bbe
Formbook
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df
Formbook
edf9df1a661fc13c4773ac176efe0381a60a04e829e338fdbcab37b5b45170e2
Formbook
fb1ccc21ef84112ec41d904546fa6e35c0ee0ff48626b68dd2d1839f77a4b508
Formbook
fc0c647c2f34774016bfd15559698165c58324fc0f5847839b91f3aa700026f0
Formbook
+ 2'487 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:n13e rat spyware stealer trojan
Link:
https://tria.ge/reports/230306-kepwmsbc78/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
27688fe856b60a996711a64829ee298f641699283ae87e8b74fda195fb2360f7
MD5 hash:
6f15fb76756af11cc002cc4e43f70240
SHA1 hash:
0ec009516e1acd4fae5de124e6ba4af9c5ad15c2
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/95112e35-fb95-4aed-b1b8-0b86f6cbc867/
Parent samples :
60f8c4a0b8195562a53f3d4c8fbc885b606924a2a871185e13391f4a2e7cdec8
6f4246a44c4b69ed8cc30d0583be906c7a8040216321889da1bd74ba7815aedd
a5976236ba0b3e31a6dd09af3abe7d0121a4053bb22669869a874d1ba97bd495
ca48510ff7ad5639918292722adaac43494e43c83aa5439503f2c26628345b53
0a1573dddbc69e98f2a99b1447ee2188cba36391f2abb734f701a106f31f507c
9a1d1bef26696bef7c0968da056617ddef463b53f66ccfcb510b52db5e2b8721
e9ac57e43f65115bb0e5780178dae36d3a625cf21a21d6b9272d7a067c9c52a5
08fc30191cdb3900aad985dd7203f002dd7ac1176acd1ae7861021cc641b6a40
SH256 hash:
ac5bca6fe457e228645e6606386c4e7414e8941031129bf7e386317b1f4bba03
MD5 hash:
cb87b649277fadfd2585c78f3fcdb0e2
SHA1 hash:
ca50f52036bb5d8f8b7c864d3652ed7bdf4c818b
Link:
https://www.unpac.me/results/95112e35-fb95-4aed-b1b8-0b86f6cbc867/
SH256 hash:
16ca7eb63af38ffbefe7d3c75e1f8b14acafc3a6aace455ac22ed1bcc6a79bcc
MD5 hash:
5a78437544f610bc396b80e4c701374f
SHA1 hash:
b27591801c47447b407ff404d88b2b274ac3050b
Link:
https://www.unpac.me/results/95112e35-fb95-4aed-b1b8-0b86f6cbc867/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/95112e35-fb95-4aed-b1b8-0b86f6cbc867/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
219a6c7ea5bb974cc9fdf265d13d843e6ba83f2a1ec07744d4b9ca3a6ca90f38
MD5 hash:
88dd74207f3882979e21e26bf33a0e9c
SHA1 hash:
02a2db1bcbdb700f16c730a45d6ca62f805af8d4
Link:
https://www.unpac.me/results/95112e35-fb95-4aed-b1b8-0b86f6cbc867/
SH256 hash:
60f8c4a0b8195562a53f3d4c8fbc885b606924a2a871185e13391f4a2e7cdec8
MD5 hash:
b9af72889fa2f01829a3422a5afa27f3
SHA1 hash:
5e77835308aad11f138bf5a48f598588d6a48e9b
Link:
https://www.unpac.me/results/95112e35-fb95-4aed-b1b8-0b86f6cbc867/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/60f8c4a0b819/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60f8c4a0b8195562a53f3d4c8fbc885b606924a2a871185e13391f4a2e7cdec8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 60f8c4a0b8195562a53f3d4c8fbc885b606924a2a871185e13391f4a2e7cdec8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/371812/

Comments