MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 633e769b4943468dd81e9fa530390c4aa40aceb88fb0fb8a3e647faaea56df9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 633e769b4943468dd81e9fa530390c4aa40aceb88fb0fb8a3e647faaea56df9f
SHA3-384 hash: 51825b090f887b483a6f6a004388e09b3aa535680a39e2434297af43c32dd16f608cc2239f894276eb236a3ce4d68c13
SHA1 hash: 062bd505caf288b9dacbeda79b3c0e1826b908f1
MD5 hash: 4e5c5d8745976a380f4334645379cba9
humanhash: kilo-princess-music-kitten
File name:Purchase Order_231313_20230.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:623'104 bytes
First seen:2023-05-17 16:33:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:aYSv5oCo4E8lbo3BTNUzXUiwK6jwQ2GY+pTAK69xRjf0Tstt:ioj+back9VV2w+KmRD+
Threatray 2'865 similar samples on MalwareBazaar
TLSH T147D4D074209E4A91E01BCBF165B8FC72037174F3ADE5D9310B35A2C4CE6AF506E98A5B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order_231313_20230.exe
Verdict:
No threats detected
Analysis date:
2023-05-17 16:36:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c5b0de4d-fcc9-4e09-92cf-3cb59e3110d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390764/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1966.29767.28311.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/646501fbca9bd33579003383/reports/57e0f51b-c92e-407e-8132-62fc885412af/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/633e769b4943468dd81e9fa530390c4aa40aceb88fb0fb8a3e647faaea56df9f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff8147d3-a8d8-4953-8936-4b342b9ad84b
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1234795
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 867777 Sample: Purchase Order_231313_20230.exe Startdate: 16/05/2023 Architecture: WINDOWS Score: 64 19 Multi AV Scanner detection for submitted file 2->19 21 .NET source code contains potential unpacker 2->21 23 Machine Learning detection for sample 2->23 25 2 other signatures 2->25 7 Purchase Order_231313_20230.exe 4 2->7         started        process3 file4 17 C:\...\Purchase Order_231313_20230.exe.log, ASCII 7->17 dropped 27 Adds a directory exclusion to Windows Defender 7->27 11 powershell.exe 21 7->11         started        13 RegSvcs.exe 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/633e769b4943468dd81e9fa530390c4aa40aceb88fb0fb8a3e647faaea56df9f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-16 12:48:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mm7hng2jindi3wa6t6staoimjksavtvyr6ypxcr6mr72v2sw36pq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
114f4e62ec2b81ab45799a56b183ef282b2bc5c172fd9831af33c154b23034ea
Formbook
2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b
Formbook
28981de1a7a9617749fe0a5d19b8e0c80b2dc082118c1ca1b95e475df34e44a4
Formbook
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
Formbook
362365797a625ef308f4071bc408a35c5cf5db4c2e6847bb854b995eec8e658b
Formbook
605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609
Formbook
bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e
Formbook
e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679
Formbook
fc52523013f9198bf95daa7b6f6a597b518273b54c50635784deee1e3c9dd991
Formbook
+ 2'855 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230517-t24srafg37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
09ef1a3ac1ab881dd9ba77922828769e3512c45c1518213f486b4fa387846dba
MD5 hash:
d3c7b5966bcec96e0cb234aba798af28
SHA1 hash:
e03c98b8a6a6c21d8191f6c9fed0a00e5f3816d9
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e6298f81-d9cf-4219-98c5-7f9d99df97ff/
Parent samples :
633e769b4943468dd81e9fa530390c4aa40aceb88fb0fb8a3e647faaea56df9f
2d2e43cbbe4c81767774ac3eea5e5f199b1ad6233e4670f3c250ccb6cb7817cd
SH256 hash:
e6406411b33b59b6f05a84af9565fae4c335b013731ab222152366180cb1ef8e
MD5 hash:
7336121458c6127b1f5fa668dc05ccb5
SHA1 hash:
419171a9cae4cf7d91ffd6999e9dc070ae8432c2
Link:
https://www.unpac.me/results/e6298f81-d9cf-4219-98c5-7f9d99df97ff/
SH256 hash:
786a05aa1724e08c33fb4783afb06aa4a5508c781f3e1e5405eb459cf06c71b9
MD5 hash:
bc184e5cbf6fb7d05fecf4e12db2a989
SHA1 hash:
f79f8bdeace757d16977574266c53f498f584249
Link:
https://www.unpac.me/results/e6298f81-d9cf-4219-98c5-7f9d99df97ff/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/e6298f81-d9cf-4219-98c5-7f9d99df97ff/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
5b6174e4cf6a553e2cfc068078c31c0f9e6c313149f348cccf164fd3726d993c
MD5 hash:
b7d9a290f7f86968b01fc47604bef24a
SHA1 hash:
79c2a5445dd521458dec1d1fa14a015f160b26cc
Link:
https://www.unpac.me/results/e6298f81-d9cf-4219-98c5-7f9d99df97ff/
SH256 hash:
a7485443b331c2fca54197f53638cb11a8c82bac339b66f35b95d0ad0aceb438
MD5 hash:
dfca41d2838170cb07ef445bb7d9c987
SHA1 hash:
7622672bed23f065cafdf2a17879ebf5926aba8b
Link:
https://www.unpac.me/results/e6298f81-d9cf-4219-98c5-7f9d99df97ff/
SH256 hash:
633e769b4943468dd81e9fa530390c4aa40aceb88fb0fb8a3e647faaea56df9f
MD5 hash:
4e5c5d8745976a380f4334645379cba9
SHA1 hash:
062bd505caf288b9dacbeda79b3c0e1826b908f1
Link:
https://www.unpac.me/results/e6298f81-d9cf-4219-98c5-7f9d99df97ff/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/633e769b4943/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/633e769b4943468dd81e9fa530390c4aa40aceb88fb0fb8a3e647faaea56df9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 633e769b4943468dd81e9fa530390c4aa40aceb88fb0fb8a3e647faaea56df9f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/390764/

Comments