MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 712f1dd153cfa3cdc0d32d481f58aff6b583bc7a60a94597a8c47ced99360d89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 712f1dd153cfa3cdc0d32d481f58aff6b583bc7a60a94597a8c47ced99360d89
SHA3-384 hash: 946cecbf071a9c38fc7db69f4235e195ec73fe94a636637827f5e1c7e60bf2d242b7bf1e411bd8c8dbfe6c9a014aa7e0
SHA1 hash: c769a3dca8c8c9f2499a7a1154ad7b1ddbe84087
MD5 hash: b4db35b8d515a842523cecd060bd2f1f
humanhash: hydrogen-item-venus-summer
File name:Stampa Di Evolution Order.PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:614'400 bytes
First seen:2023-09-29 09:01:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:hO725mDTMdu7gQj+it4Uh/7XEMiJB1xNReVE4zd4Il8MRsw:nF0EA5z9iP1xNRIdFRsw
Threatray 31 similar samples on MalwareBazaar
TLSH T1F3D423C578988756CCCB473A1FDD419647313B29D803F7BCCA9E388A88BA7143622F56
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b26969e8e8e8f0f0 (23 x AgentTesla, 13 x Formbook, 3 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6516928b86207ed628208ad7/reports/2a9f2231-717c-4943-aa7b-2abc3a0570f3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/712f1dd153cfa3cdc0d32d481f58aff6b583bc7a60a94597a8c47ced99360d89
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2b35346-0405-4b46-884b-b2131271ea56
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1316313
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/712f1dd153cfa3cdc0d32d481f58aff6b583bc7a60a94597a8c47ced99360d89/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-25 07:58:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oexr3uktz6r43qgtfveb6wfp622yhpd2mcuulf5iyr6o3gjwbweq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3b79e392617523720c040a2e0b39f0ff47593a420ecc9edcb9cd8b9e1d7baca6
Formbook
582b83da6cb0374b90790106f9e4b8a046e9d0b24cbd725c2be985c8c0a149bf
Formbook
6de402e896d0ecf6b4d55fe0ffc1b978e511a632a842e188200e5cb736893210
Formbook
75a9fc79b2513a8964a0dcf3a0749a399a857d3feb2fa3c0d62de6f51ea5971f
Formbook
7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd
Formbook
8326158d0aea2a3ee6a49cc3f88e1c3779eb479790a8b0451133a09c1ca0a777
Formbook
96a3709a8156268f9daaeac2aab9c66146967ef173e5d5d2e8a0ed8bde75ab63
Formbook
a81a0d29652f5c3497d905b124fefc89e7149f61c87b2198872c4dbe8f0c0048
Formbook
e54d0568b4987713be85f584b8311a3af96dbc703e99c0a8be6826c158120d8b
Formbook
fd39da24e0cecd5d485b4242854f6111a89b0a9359639a1c3c0abb87b75fffb1
Formbook
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230929-kzfhpsad98/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
aaa0199eee1f45dc240b73d886c4150852dbbf77b8a71de406e758c8a530b152
MD5 hash:
50b3475881cd4949942143805d0f23cb
SHA1 hash:
c70d7387041f8001e7e3a593cfc3edffd9faffca
Link:
https://www.unpac.me/results/6aed56e2-0b21-4337-8482-1b26d2338c64/
SH256 hash:
58142cb87448a671eb30191c7910084e4ae4c71866ff9e7e59345649c2adee73
MD5 hash:
115a128c3cc68e98bb77e271618ea672
SHA1 hash:
fa61359ff396ccd4f643f8fd406b1efb419f57d3
Link:
https://www.unpac.me/results/6aed56e2-0b21-4337-8482-1b26d2338c64/
SH256 hash:
d2af99e572eeca0e277d806373cbee7735a989e804557cc0ee6e42ce34eab8cf
MD5 hash:
85833e37ab0573c639ea193487784394
SHA1 hash:
b234e1fbf9a31cbfc1baa741c75179bcbe41ce19
Link:
https://www.unpac.me/results/6aed56e2-0b21-4337-8482-1b26d2338c64/
SH256 hash:
abed99881ce1e05907653d1697ae232575d0cf067fd5cc646e2e5ee9f7337c82
MD5 hash:
491a7170bd8a7ed81d03a64ff2598bdf
SHA1 hash:
8325a5bccba80878a14032c06b78b34db808b910
Link:
https://www.unpac.me/results/6aed56e2-0b21-4337-8482-1b26d2338c64/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/6aed56e2-0b21-4337-8482-1b26d2338c64/
SH256 hash:
712f1dd153cfa3cdc0d32d481f58aff6b583bc7a60a94597a8c47ced99360d89
MD5 hash:
b4db35b8d515a842523cecd060bd2f1f
SHA1 hash:
c769a3dca8c8c9f2499a7a1154ad7b1ddbe84087
Link:
https://www.unpac.me/results/6aed56e2-0b21-4337-8482-1b26d2338c64/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/712f1dd153cfa3cdc0d32d481f58aff6b583bc7a60a94597a8c47ced99360d89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 712f1dd153cfa3cdc0d32d481f58aff6b583bc7a60a94597a8c47ced99360d89

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments