MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 626ffcb054c33c59e1caa726e5a71f11f2e6dc81a982afbca8820e09ac7929b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 19

Intelligence 19 IOCs YARA 8 File information Comments

SHA256 hash:	626ffcb054c33c59e1caa726e5a71f11f2e6dc81a982afbca8820e09ac7929b4
SHA3-384 hash:	a76a74e995a0be49d29ba204ea1e4a52e538c8c88ae81b9905a4ee842d012e3ef4e94e1ad72928e3697f9bdccd1661dc
SHA1 hash:	25939d1eed435a46a545f5c648ebf38a89921809
MD5 hash:	9347166b9363eba1d20b7730637c5e1c
humanhash:	princess-undress-kilo-ink
File name:	RFQ31072024_August order_pdf.bat
Download:	download sample
Signature	Formbook Create hunting rule
File size:	656'904 bytes
First seen:	2024-07-31 07:33:10 UTC
Last seen:	2024-07-31 08:20:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:QmjQpjndCgO+a8OJnBQs5t54KP015K1bnK2y9979RzAgmU/qUYQ4kR:QmojdCMYBQsr5DYK1bnK2y9VLzA6/H9
Threatray	2'038 similar samples on MalwareBazaar
TLSH	T1D5D422063BA4D553DDBB88F129B912465BF3F04B5D58DACD5C9231CEAEE2F829100C6B
TrID	66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.0% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	3000306969b20030 (8 x Formbook, 6 x SnakeKeylogger, 5 x AgentTesla)
Reporter	abuse_ch
Tags:	bat exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

372

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

RFQ31072024_August order_pdf.bat

Verdict:

Malicious activity

Analysis date:

2024-07-31 07:37:19 UTC

Tags:

netreactor formbook xloader stealer

Link:

https://app.any.run/tasks/094c5b9a-ece5-487f-9354-7e6bf4ce562c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66a9e8eec06bd32e596e90e1

Tags:

Encryption Execution Network Static Stealth Swotter

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Launching cmd.exe command interpreter

Setting browser functions hooks

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin masquerade overlay packed phishing tracker

Link:

https://www.filescan.io/uploads/66a9e8f2dfa8b2fced50519d/reports/81ba4b70-8fbb-4086-9533-b1d3b2cb31f2/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/626ffcb054c33c59e1caa726e5a71f11f2e6dc81a982afbca8820e09ac7929b4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f362b648-4b84-451d-af5a-40b42474ae69

Result

Threat name:

FormBook, PureLog Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1485180

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Sigma detected: Scheduled temp file as task from temp location

Switches to a custom stack to bypass stack traces

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/626ffcb054c33c59e1caa726e5a71f11f2e6dc81a982afbca8820e09ac7929b4

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/626ffcb054c33c59e1caa726e5a71f11f2e6dc81a982afbca8820e09ac7929b4/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2024-07-31 06:46:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mjx7zmcuym6ftyoku4toljy7chzonxebvgbk7pfiqihatldzfg2a._file

Verdict:

malicious

Label(s):

formbook

agenttesla

Formbook

9f17dfb2b539dbfeae4eff938a67da34bf07b6d9617c49963ec4b537449f7520

Formbook

c365a6886581c5afdc2bba03f6b8dd4af723c570002d359af8cafa1c145e4adb

Formbook

f8a6d38a7a548a8621059aaaa87265c7c8d164b0f8eac7f6c0f7e4ec201de4a2

Formbook

f9e519cd66cb6bed521306afb703672ef2ed9d82d8341398c4199be4523cad96

Formbook

+ 2'028 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ss24 discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/240731-jd4gzayanc/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Deletes itself

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5c63d503-dc9d-49e8-ae64-617096267eed

Unpacked files

SH256 hash:

d7cd6c45cc22263e9d7b8bd0fd24cbfd445492cc8bebba3e47a22d54c3866b0e

MD5 hash:

85e24b73153452c8cfbb762b918f3a7b

SHA1 hash:

126ee08922729d2238449d5a9c44e78ef3c142b3

Detections:

FormBook

win_formbook_g0

win_formbook_auto

win_formbook_w0

Formbook

Link:

https://www.unpac.me/results/939f82aa-a486-4ee3-8d0d-8cb09b0405a1/

Parent samples :

626ffcb054c33c59e1caa726e5a71f11f2e6dc81a982afbca8820e09ac7929b4
9f17dfb2b539dbfeae4eff938a67da34bf07b6d9617c49963ec4b537449f7520
45bac0cd4b709400f6801f0b6dfaa5eba1d6125d3a859ade0cf2a1e53b637746
b731e1e07da1ab601c2773e2124f60e482f30f81bf2d1d64c3363c5d1f4ec08d
dc1ef9303dccebb2719b654a156860278e36cbd08bfa24cfacd82b640fb640df

SH256 hash:

f7bf5dec85a3ec02b206fa42e8b3c4857db064b1094ad80a80a4899cb3b1222f

MD5 hash:

65e978693d8b713bb2b96af6f58286ee

SHA1 hash:

fcae99ae09d804e80d7718aa30d2ea220ef340c6

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/939f82aa-a486-4ee3-8d0d-8cb09b0405a1/

Parent samples :

fec7c785b5cab74579e38a8b33a3fdfa91ea44356f31c29b793680f7740f663e
03ce36fd07bc77fb8fcb27e93d3e05053a3ac991012891b2fa96370b4ed26784
680b2535047f66d49243a54b9659a3714a2133daa2f5b8b06c7519e2fa075f64
626ffcb054c33c59e1caa726e5a71f11f2e6dc81a982afbca8820e09ac7929b4
96de213abe4abd93e28e7a7a3053906e85027b08f6333531f52da2e67b096447
3ba7694dd1ba8f1886339cc90d6c66d518745e0dd837fecd0d67c27b33712d43
f087a9852ad32d54b3691e9d25c081ee806c262c35b4704035e948d855f45246
9e6e07e5acd158d093464bf485f966d7d6ec4a6f5b36d80bc2beb3d9bb07c45e
9f17dfb2b539dbfeae4eff938a67da34bf07b6d9617c49963ec4b537449f7520
d12078dbf736a6b4c15d15c12c4fde2586164b70ab09c38f5024321fab1a6b01
cb0a8f0e6440de0c5299984554a8cafa69d326d41f29a477f6536b6934a2b732
45bac0cd4b709400f6801f0b6dfaa5eba1d6125d3a859ade0cf2a1e53b637746
d86f8e1eb90204fd06f98aae802410b345b1a2e9b561a933b1980e2e4aad99a4
6aaa71779c919eb439d209d99b8f0f9adfb89f20bd1333658c8f3cd615d054f5
9709b89b130bc2a8b0f8aaf832705d093760bf811698cfe3cc40ff1751bef020
c2c4eb306f16f75c7cc6a4afc6b5161b8f84eb242604b739d172ac1ae1f01d15
ad0f22301dd500e68662a4085fd546d09d7f8d2902369f8a537bd364c04e88aa
36609ed28222d995170a36e1d4df63fcf518bece4a965e5674cc5a03c2d2b324
ec0cb53f3f7dd573b6449bed509234445870faabe3134f554f48ac150ae99de2
158c8861036425f4e7b9df9a610a0e23d45a811c2916aa697cb01491b493e539
88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419
cdd7df460178e0239fb3342ac3f97e920069e5b2aac1c9c343923241f1b60b87
5c4064658cfc929bb45169b4ea8f237984acd8f92ee45892c1b05bffc61cf0aa
4a79a8b83afd4feb2fd2e130d54f667fa9ee6c61ecf7d61efed3753ab2450775
121de22078536795f06ad23e6db6d1627f4cab617a6264b44820839c13e4c2d3
22e07732afa9d6a1c689bd93a3f5b60205310ef8f4225aa00391d8da73d88108
18e5ff8af38bd3bd2a0a497543241be74cf4ce575cc5c564cd34e6e3f41122aa
f35f4d73501f046d2319a9d6284235bad63461584faced48db23d9fdd032a045
ec48091b8b9cc09fd9d73415078622d8b3c5fb2de818caa20814a43b1d1c14c7
d3f2be134599de5203a3eb61863b6da610df012c2fdd6e3b47ac4929132da763
fa2a38ee7933b6eec66fed45d0f14e9cb4009ce04d5b56cf7e753af46626ada0
ec90bcbed4dc9e168367b501a9ac22ce0d53f1fe0b9a976727181f4bbf6b3467
8cc3a57385ce576b1264431f444a0b0178ac53c10b69058b2898373172565337
a100af984853a3c17d51f8aa34d70bb462ce8d760ba278937479ccf27edc3b9c
3e9f3a83f830c41cfec094e86c31a8c79c032814a4f029eba014cf90b7db75ab
b731e1e07da1ab601c2773e2124f60e482f30f81bf2d1d64c3363c5d1f4ec08d
6dd94fe4a5b0297fabec9985a7ef901a1ab05fb75c1284c036e7e79c60321e86
8509fdd176d2cfd177b97085f7aa8a865c38fdc8a004f8b3222a39deaf6bf680
78fdf9c2edfb9f97d16867a8372835563cb6ce1f1128b66ead34f88cbf299dc6
1d77e6b59c60817f9c5b17e620db8c30a6fda1c3ae638961f3a907b78d4e9128
ed94e4340621581cec927c362247b765e8eec9946069d54c36cac2e7ce1236f7
c1275a93bd767e100a37e8bc22439be45698a733f71d1ba5c890f5b1b4c3e034
3f084903c5b689b3d88e36e524bd3fcbda689a2b6d2446b8b10fbd97b145db7a
dc1ef9303dccebb2719b654a156860278e36cbd08bfa24cfacd82b640fb640df
4152197ecd541c3b62d3ada6ff29bf7bb90edf2e57f96f27980f802513420897
07d7da9b867a476b6214db42000f3e731e6c83e487edb5828687529898ea2267
ab4593816a20ff7503167fc8fac03e20ab1fd7479c8d26d23baaa12f5df7bbb2
472819b55a8804b4d8787f5e45cc9b1aeb1026d5819f06e91bbc022d53ccae5c
b0758e26884a064ab95a8d86fd4e17df2e2cf7b38b1c33ebbfa0cf9b9e88b9f2
33f8b2938048a821d1c515daf12ebb890ad5751b0d06cc2942ce976d2d9d1341
0d38a75eaacd1df541127d09bdfae1fd1ccc166a8f8e5f0c8f9566c1ca7cc3ad
5e30eebbe6f8d7fafad37f578848e1800a231e240162ba954ed211766d641afe
a7ba3de84abf4628a7b7096e7f28b4d8b6946429d6f8b1e8f0b5bd05eba3db0e
ec611350a188956ae50ff4b5ebea09f16d61e843b2dd6aef2c15ea82537b273e
f3fe763c0bab8b6423578bbe031190508406459cf1648b47dcba314c95ca8fbc
850752cfce58c44ce5d48735f4d53ccc1f8d12b7e1ae00d367d9c42103d9ad99
f3dd8124dc20b5dbe2afde3eaa092c05e1eb0fae8fe16aaacfa9e0d5213f4117
eb25536bdb4fbc21cefbd43e00f58424c9458eee4059a9d5fa26aaa1c4842e0f

SH256 hash:

e1fbfdcd2f167de33430ca6f2c48729ae1f5cf7a4966067e7976b8fdd0d2dc17

MD5 hash:

bf701ea2f2e6cc802a691a770453f731

SHA1 hash:

908aaabad82ef12ec5abbffb056a9196b3b7ca6e

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/939f82aa-a486-4ee3-8d0d-8cb09b0405a1/

SH256 hash:

5983bc61c0e8914cfacccfd145a44bdebab9c204999d03e3fef7ae6f058e1551

MD5 hash:

7a15fa5952050a9f8894f5da813e1845

SHA1 hash:

0e13b3a937fd4226f0fbc8b45d826cca620da61e

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/939f82aa-a486-4ee3-8d0d-8cb09b0405a1/

Parent samples :

626ffcb054c33c59e1caa726e5a71f11f2e6dc81a982afbca8820e09ac7929b4
9f17dfb2b539dbfeae4eff938a67da34bf07b6d9617c49963ec4b537449f7520
45bac0cd4b709400f6801f0b6dfaa5eba1d6125d3a859ade0cf2a1e53b637746

SH256 hash:

626ffcb054c33c59e1caa726e5a71f11f2e6dc81a982afbca8820e09ac7929b4

MD5 hash:

9347166b9363eba1d20b7730637c5e1c

SHA1 hash:

25939d1eed435a46a545f5c648ebf38a89921809

Link:

https://www.unpac.me/results/939f82aa-a486-4ee3-8d0d-8cb09b0405a1/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/626ffcb054c3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample