MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70d1125e7b5eeec17ca0248a72e7ea949bb78364928423d5ec062bd4e7eb825a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70d1125e7b5eeec17ca0248a72e7ea949bb78364928423d5ec062bd4e7eb825a
SHA3-384 hash: 53774a32e1f865c4644e6cad1b4056f684b8c17195fe3737392995568a42fbe018f51aca8844b02ae1ea37232d9c831a
SHA1 hash: fe050ebfa3a2acc46d6e02e48800b7fa126639d3
MD5 hash: b0b928585e5fce5f909699c23a3fdf3a
humanhash: uniform-network-comet-september
File name:rPAGOA31900.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:644'096 bytes
First seen:2023-05-09 11:13:41 UTC
Last seen:2023-05-13 22:56:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:WNj5AydDfDgTWgfwgNaYbKppRFrVuwhMYYemM4P+dRy/3IdDJ+T3wutd/gakeD:W3PHgYgYYbK/r35IWpDJ+T9X/ue
Threatray 2'847 similar samples on MalwareBazaar
TLSH T102D4E0B0A16E49E1E20B89B0097CBDF61EB171D3E9EA5978073E5144DFB7B183E4490E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
rPAGOA31900.exe
Verdict:
Malicious activity
Analysis date:
2023-05-09 11:14:54 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/e01058b5-e40b-4793-97e3-a49d73d518da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387806/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.19776.13410.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed stealer
Link:
https://www.filescan.io/uploads/645a2afad054a0b0ef843d53/reports/98413292-cd65-4540-85f5-3090a4ccd8c5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/70d1125e7b5eeec17ca0248a72e7ea949bb78364928423d5ec062bd4e7eb825a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c738b528-feb7-4129-a8da-3bf783c5ea12
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229117
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 862099 Sample: rPAGOA31900.exe Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 31 www.horizonfourteen-help.com 2->31 39 Snort IDS alert for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 11 rPAGOA31900.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\rPAGOA31900.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 rPAGOA31900.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 2 6 15->18 injected process9 dnsIp10 33 daniellemalton.com 192.0.78.24, 49698, 80 AUTOMATTICUS United States 18->33 35 www.gomuti.top 18->35 37 www.daniellemalton.com 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 cmmon32.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70d1125e7b5eeec17ca0248a72e7ea949bb78364928423d5ec062bd4e7eb825a/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-05-09 09:08:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=odirext3l3xmc7faesfhfz7kssn3pa3eskcchvpmayv5jz7lqjna._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1c4a23543bd6562ebedfbc5905ff87a87d06d25a03b1015043314e00befa54dd
Formbook
28384833cb4f57932b5344a38245cc995941d7fcccc387a2ffa7f295c91108ac
Formbook
7d05369e7f8c3f1ae6e8e52d34c33707768c9d50c7cc688198f1e72bfebd2599
Formbook
856c3482c119fdecb777d14ef351c90a24a045cf8da8cafbb2d229619cb11bbf
Formbook
9739b15bd8493e99e281d62d213ddc4cce684b1e833af4634932c57a669035fc
Formbook
abbf85558290e3fa302f88f51243e5216f24c9bc4fce64a0f616db3be2c46e8e
Formbook
b63fc3cb35e5d0f4dc71f25e700b86c151d30efe022d43a3033fe25499d720d7
Formbook
d81949804bc29604ac2de2ac9f2d360deae54a39d28edfbc9b323868b619b059
Formbook
e75b09e0fc7a0826ccea5469d66443bfcc421b1b6246e9a0d13bb38e21333e56
Formbook
fbcd0824d723107fbf65f4d82506544ff6514364e745242e74a8d7f86d16575f
Formbook
+ 2'837 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:in62 rat spyware stealer trojan
Link:
https://tria.ge/reports/230509-nby7pafe47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
a3abd2c84affc850b509a0cc8d1296c93e7984cebdf95011ca97761bdfd6cf39
MD5 hash:
f8da6933624301c9deb2fcade90a42b8
SHA1 hash:
5667dbcd5a831a60fa9a4a277f87516a422a8496
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/24e7437f-0cc4-4da9-ab74-a9d20bdf01e1/
Parent samples :
fbcd0824d723107fbf65f4d82506544ff6514364e745242e74a8d7f86d16575f
70d1125e7b5eeec17ca0248a72e7ea949bb78364928423d5ec062bd4e7eb825a
SH256 hash:
64333d0e5f60629fa3c8e6e2aac2731d8d463ec1c7b16da16db22ba4e22e086f
MD5 hash:
55a5512acc507662d9bcebad5c34a4f0
SHA1 hash:
d1e131c2135aa0d58dbdaf0c4aa96f4f540f0298
Link:
https://www.unpac.me/results/24e7437f-0cc4-4da9-ab74-a9d20bdf01e1/
SH256 hash:
73d8b23c378cc1b2f913e5f860cdca36438534f89270513be16c0eec87aaabbe
MD5 hash:
1616ed010b3f91517e0307334a128851
SHA1 hash:
a8747ae1a82ae8114b04c791ac8502dca2f1b394
Link:
https://www.unpac.me/results/24e7437f-0cc4-4da9-ab74-a9d20bdf01e1/
SH256 hash:
83fde4c9e3bd778ea729691f2dbae3a3921ca37c620873d5015e059366bd45ab
MD5 hash:
875c44e3510ef7b26167c427e22985fb
SHA1 hash:
7085e54effb2e903cbf2bface0dad4bd28d4a7c1
Link:
https://www.unpac.me/results/24e7437f-0cc4-4da9-ab74-a9d20bdf01e1/
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/24e7437f-0cc4-4da9-ab74-a9d20bdf01e1/
SH256 hash:
70d1125e7b5eeec17ca0248a72e7ea949bb78364928423d5ec062bd4e7eb825a
MD5 hash:
b0b928585e5fce5f909699c23a3fdf3a
SHA1 hash:
fe050ebfa3a2acc46d6e02e48800b7fa126639d3
Link:
https://www.unpac.me/results/24e7437f-0cc4-4da9-ab74-a9d20bdf01e1/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70d1125e7b5e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70d1125e7b5eeec17ca0248a72e7ea949bb78364928423d5ec062bd4e7eb825a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 70d1125e7b5eeec17ca0248a72e7ea949bb78364928423d5ec062bd4e7eb825a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387806/

Comments