MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 686802626b55d584dba9bb97f1a9c6b61cdb1f56ab9362cb57b333109ed3a486. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	686802626b55d584dba9bb97f1a9c6b61cdb1f56ab9362cb57b333109ed3a486
SHA3-384 hash:	d91857631428c5c36dec2d4a720e395c37ca9f5c3121be4a678962fab5eb5fce4eead262c5c878aa1ea88c4eb383ce9f
SHA1 hash:	a0ebaff7957bf8799a03cca6ac70e8231d75eeec
MD5 hash:	41ab5bbead147ca7db73d398076e3fd9
humanhash:	avocado-lamp-carbon-oscar
File name:	REVISED PURCHASE ORDER.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	934'912 bytes
First seen:	2023-02-08 11:40:46 UTC
Last seen:	2023-02-10 12:34:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:l1BFwfrxN5IC54TWM/G9PXswdhfi+KOE9udmifzoaAneetX:lSjtgi55cw6+zOQmifze
TLSH	T11815CF9C7650B6EFC857C932DAA82C64AB61747B930BD207A01712ED9E0E997DF104F3
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

199

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

REVISED PURCHASE ORDER.exe

Verdict:

Malicious activity

Analysis date:

2023-02-08 11:46:17 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/f77c890d-9a96-435a-82e4-3d5dabafcc1a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/361940/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.65398299.25439.14035.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

67%

Tags:

packed

Link:

https://www.filescan.io/uploads/63e38a52447edb203a034b18/reports/17a072bf-00e0-4b68-a269-26496aef2383/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/686802626b55d584dba9bb97f1a9c6b61cdb1f56ab9362cb57b333109ed3a486

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/19ace202-3718-47c4-944d-0edb52958d69

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1168728

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/686802626b55d584dba9bb97f1a9c6b61cdb1f56ab9362cb57b333109ed3a486/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2023-02-07 10:13:20 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nbuaeytlkxkyjw5jxol7dkogwyonwh2wvojwfs2xwmzrbhwtusda._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:gg62 rat spyware stealer trojan

Link:

https://tria.ge/reports/230208-ntg15aaa5y/

Behaviour

Gathers network information

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

31c174403743dbc72a7d5e6755d06dde96941e75db3ccc9ad307c2704d5d1a4b

MD5 hash:

9b783827ef97a15f2a1c2d98f12b64c4

SHA1 hash:

f3cc4529714f1ae81d528a7a1fc5f36238de1ea2

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/e9de9151-bb3b-4fbd-959c-1586039e132d/

Parent samples :

dc0f8440e9ae92761e5e833b22c2448fb0f2900f9a184e823b299c74db5c1085
f79a020cedb43bbd1f4948a2566d081fed934d56f871741d2548f792e8800e7b
ed5c5ef5186a78d9dd02e7dbf36b0bcc9d6c0e733f04a6780f6bcf06dbfc3338
802ef9033535b7c8c8b6844eb030ab8fa10f6427d45d5b7f8339f5d89cff1958
342215db36f2fa15a4b72d54cb4e7a7179462dcaab9dc9f791336df867d6d286
686802626b55d584dba9bb97f1a9c6b61cdb1f56ab9362cb57b333109ed3a486
2fb0a24e905687a5443fbe50d21033e4318da3275260bd82d016a9af346bb09b

SH256 hash:

6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef

MD5 hash:

f759d70f3bbee3865d9ba45b70c59bea

SHA1 hash:

f07ca29866cf8b0d92f18904860c40a284a5f550

Link:

https://www.unpac.me/results/e9de9151-bb3b-4fbd-959c-1586039e132d/

SH256 hash:

8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7

MD5 hash:

7f225c69df031bf0560aed3847a1221a

SHA1 hash:

4d5f3ccdb2c6015d2b2a73326c0f32b173af2819

Link:

https://www.unpac.me/results/e9de9151-bb3b-4fbd-959c-1586039e132d/

SH256 hash:

41f0b100220390133b63e742983143509949a1c1e20295c008339994ca91426c

MD5 hash:

aae1982411990bf22528ea449b77b5b8

SHA1 hash:

186eeb77988cbac504c945588516c514615219b2

Link:

https://www.unpac.me/results/e9de9151-bb3b-4fbd-959c-1586039e132d/

SH256 hash:

7ad31f6f4a6b0470badcd721983e79b3db66511e88298ab40f1f46fb45ffa0ae

MD5 hash:

36ef721f4f53d0ebfa74d25b34bee43a

SHA1 hash:

163cb78d441710b55731a51da990ff1d8bae7871

Link:

https://www.unpac.me/results/e9de9151-bb3b-4fbd-959c-1586039e132d/

SH256 hash:

686802626b55d584dba9bb97f1a9c6b61cdb1f56ab9362cb57b333109ed3a486

MD5 hash:

41ab5bbead147ca7db73d398076e3fd9

SHA1 hash:

a0ebaff7957bf8799a03cca6ac70e8231d75eeec

Link:

https://www.unpac.me/results/e9de9151-bb3b-4fbd-959c-1586039e132d/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/686802626b55/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/686802626b55d584dba9bb97f1a9c6b61cdb1f56ab9362cb57b333109ed3a486

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.