MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 629fd7db8bf28b9a395d19bdc55296d3b9048c5d631659cb1896bd8f2a679a78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 22 File information Comments

SHA256 hash:	629fd7db8bf28b9a395d19bdc55296d3b9048c5d631659cb1896bd8f2a679a78
SHA3-384 hash:	c51b96935066efa1369f3ac78829b0f6c69cfe4445a9c1cc5eb34bdfab8744f6a563dc414eb06a3dc09b38864bb4116a
SHA1 hash:	1efdf468088fb55a7bc45e7a24569175ab99a70b
MD5 hash:	462a73f0460a6f4a0efdede578c81d59
humanhash:	network-batman-minnesota-beer
File name:	HSBC Payment Advice_pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	713'728 bytes
First seen:	2023-11-30 07:26:11 UTC
Last seen:	2023-11-30 09:32:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:HVb7dL17uzIEETtsf1uMtOq4MkBzCEMEbSnu8I9F7iFRWLH9QmbCp:HVb/uID5sfOESCEMQxFHJL
Threatray	244 similar samples on MalwareBazaar
TLSH	T1F5E4128032AC8703F17B67FA6962110103F9295EA5B1E2AC5EC266EF1975F414FA0F5F
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	abuse_ch
Tags:	exe FormBook HSBC

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461332/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.59820.23026.31123.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Launching a process

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/629fd7db8bf28b9a395d19bdc55296d3b9048c5d631659cb1896bd8f2a679a78

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fd03089a-f8ab-46e1-be59-a77371e31683

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1350383

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus detection for URL or domain

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/629fd7db8bf28b9a395d19bdc55296d3b9048c5d631659cb1896bd8f2a679a78

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/629fd7db8bf28b9a395d19bdc55296d3b9048c5d631659cb1896bd8f2a679a78/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-11-28 09:27:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 37 (56.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mkp5pw4l6kfzuok5dg64kuuw2o4qjdc5mmlftsyys26y6kthtj4a._file

Verdict:

malicious

Label(s):

formbook

Formbook

61b2bc69e778f203b66b5c98950227e1cf7b9584a0494e2354a84034beea05f8

Formbook

9cdf9666a5b359975ad0d1fff59120ff2d7aeeaf2b6491d528a815c6bc582e5d

Formbook

c5444c85b810f99e008f31b9ea1b1a128df74044cacf326c27fe1937f5b45fdb

Formbook

+ 234 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231130-h931mshc3s/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

c04ddd6c59e5a7a09b14d6e7a63f631ebe8aaa95e082b02c549f156c55562ce9

MD5 hash:

57eeb622b1f517875f53865fa5b44d2b

SHA1 hash:

18638e3a645255de7a40b1a73e906b153e174bc8

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/c175ad33-9f0d-4f6d-a10f-b2ad02f63512/

Parent samples :

c5444c85b810f99e008f31b9ea1b1a128df74044cacf326c27fe1937f5b45fdb
9cdf9666a5b359975ad0d1fff59120ff2d7aeeaf2b6491d528a815c6bc582e5d
0cfc4a24356e2c51ac3513f44b2ab354b72bf131c334c0a5206e9c39dbf15104
629fd7db8bf28b9a395d19bdc55296d3b9048c5d631659cb1896bd8f2a679a78

SH256 hash:

e08d0968bdf8a42150184fde0ac64cf29c60cd57ec968eec358c34698f4c4a3a

MD5 hash:

ffaac75fbfb4ba8cf9fc3cb7e9399344

SHA1 hash:

413ba56d78a56f06f466491c211068b46489ae0b

Link:

https://www.unpac.me/results/c175ad33-9f0d-4f6d-a10f-b2ad02f63512/

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/c175ad33-9f0d-4f6d-a10f-b2ad02f63512/

SH256 hash:

2a0290a662e89a81ed2d9c73e54a0aeba209fc36617f134cf0aaa74690db47db

MD5 hash:

4820945deb84d6bd26460e8a6ba0c622

SHA1 hash:

c519540ad21594fa45fcc2e6e15cfbea8b3449b9

Link:

https://www.unpac.me/results/c175ad33-9f0d-4f6d-a10f-b2ad02f63512/

SH256 hash:

109260d1326668f88bafcd6958db42fb4958a8fbacd0890059091ed6c8e5a121

MD5 hash:

7d96bbd049614b45b6f5945bcbd2fce3

SHA1 hash:

285b0ef7267e02a3915b728a8488918dd8e3d6e7

Link:

https://www.unpac.me/results/c175ad33-9f0d-4f6d-a10f-b2ad02f63512/

SH256 hash:

ac77c2b3a3356827d907effe316d69f50c97c97c4536b19f5afb4dbf265eb6bd

MD5 hash:

afea8695109a17999eff29a9d0765d33

SHA1 hash:

ecfcd64de389ebf23bdbe32e5de4fd2566c125c6

Link:

https://www.unpac.me/results/c175ad33-9f0d-4f6d-a10f-b2ad02f63512/

SH256 hash:

4e67e837967f736d1521c7f874111407e48db83f86715cefd3ead302f4625c0f

MD5 hash:

546a511229704756d24ebbb132d866f3

SHA1 hash:

deffd875b6422e87f12758632bd1f74577e74e68

Link:

https://www.unpac.me/results/c175ad33-9f0d-4f6d-a10f-b2ad02f63512/

SH256 hash:

ddaa86dd3d96a68fcf707ea9f57497085b331d6e09b8e6a9f791caf74005d4e9

MD5 hash:

fd42d0429dc3c25ed9d548200af4c200

SHA1 hash:

c4ed7dad7ed70a30ee04406ad15e26e90ee4ff65

Link:

https://www.unpac.me/results/c175ad33-9f0d-4f6d-a10f-b2ad02f63512/

SH256 hash:

082e6ba8281c4abeaa5cf2986396b927b51e322a335fe9da37132da406975b86

MD5 hash:

3426c7c62e942a047b0522fb7eae203d

SHA1 hash:

c1385b45077f5299bfb20e66f0d341cfe2733dcb

Link:

https://www.unpac.me/results/c175ad33-9f0d-4f6d-a10f-b2ad02f63512/

SH256 hash:

beda02714636498ffafb2bec5f3d9b4ed17cd433d6bdcad3a2f683954dc47428

MD5 hash:

4cab30ddeb849747847c917f2a1f1de2

SHA1 hash:

bf6733989d9080ce5505f9eb2dda9480c9a2071a

Link:

https://www.unpac.me/results/c175ad33-9f0d-4f6d-a10f-b2ad02f63512/

SH256 hash:

01de20ba9e6f2c723524d9d1d63bae02a16a11a159d1685cc20b6b78c34a16a8

MD5 hash:

33721068cae5f7ac2b3d9487d0273df0

SHA1 hash:

1c376b77b06c4497970a519af9c30283a82453f8

Link:

https://www.unpac.me/results/c175ad33-9f0d-4f6d-a10f-b2ad02f63512/

SH256 hash:

629fd7db8bf28b9a395d19bdc55296d3b9048c5d631659cb1896bd8f2a679a78

MD5 hash:

462a73f0460a6f4a0efdede578c81d59

SHA1 hash:

1efdf468088fb55a7bc45e7a24569175ab99a70b

Link:

https://www.unpac.me/results/c175ad33-9f0d-4f6d-a10f-b2ad02f63512/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/629fd7db8bf28b9a395d19bdc55296d3b9048c5d631659cb1896bd8f2a679a78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/461332/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample