MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7145d9d7dd02971872d0f257c6d833125882a9a710d5a631f3f4e2adcdfec125. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7145d9d7dd02971872d0f257c6d833125882a9a710d5a631f3f4e2adcdfec125
SHA3-384 hash: 81ab42299c23336cc3697917171c99734af663512f6fc577bc93febd7597bd1862c077925230202c594882574c49d920
SHA1 hash: dcce0de0ddb73ff8acb0ffa7ef095724ac4f2487
MD5 hash: 4d4fa95111e180bb6072b32c98ebeb28
humanhash: jig-east-massachusetts-november
File name:Hesaphareketi-01.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:717'824 bytes
First seen:2023-05-02 09:33:10 UTC
Last seen:2023-05-02 11:22:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:8V2njoB4CyjA6o5Lm43oU5xIReaukz9J30ndi+0InQmJxRHHE6mRsc9gC8NLhPtD:W4VM9x/3z4R9uUJkndb0InsO
Threatray 2'753 similar samples on MalwareBazaar
TLSH T196E4D0136056CE17E96587F84170FB9853B8BE7349E6E1582A7A30D2C9B2F071F4C89B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0f0f0f2e9341498 (1 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Hesaphareketi-01.exe
Verdict:
Malicious activity
Analysis date:
2023-05-02 09:39:27 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/0c09e99c-73e6-48a9-8499-276e0cc67e76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386038/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6450d90b463eacbc57db696a/reports/f6d7d817-655a-4252-8957-63d76074bbb1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7145d9d7dd02971872d0f257c6d833125882a9a710d5a631f3f4e2adcdfec125
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/78fe150c-3068-4c69-bbaa-e2f4928f4f08
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1224527
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 857489 Sample: Hesaphareketi-01.exe Startdate: 02/05/2023 Architecture: WINDOWS Score: 100 31 www.glenwayorder.co.uk 2->31 39 Snort IDS alert for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 11 Hesaphareketi-01.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\Hesaphareketi-01.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 15 Hesaphareketi-01.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 2 6 15->18 injected process9 dnsIp10 33 www.diagnos.online 208.91.197.91, 49701, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 18->33 35 www.doubletakedetailingshop.com 18->35 37 ext-sq.squarespace.com 198.185.159.144, 49700, 80 SQUARESPACEUS United States 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 mstsc.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7145d9d7dd02971872d0f257c6d833125882a9a710d5a631f3f4e2adcdfec125/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-02 09:34:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ofc5tv65aklrq4wq6jl4nwbtcjmifknhcdk2mmpt6trk3tp6yesq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02ea9a838872751f53f53611015ee23062c2cbc9b71a962caf500e54a145e87e
Formbook
2fdb6415ee1ac0fde68933b412b35ba69b7d506750d5eab8924b244adfaaf82e
Formbook
6f4246a44c4b69ed8cc30d0583be906c7a8040216321889da1bd74ba7815aedd
Formbook
70bcbadb3a0abc69b680eb0fdb9c28073dcac6cf7230c855c2bac00943d81485
Formbook
7724828eb796d8c3310c8af73e9c19ecf37ad1af5ebc0cbd35efc5d4b36f36d2
Formbook
7e5a4a969f8e5439adceca4bc465664de6f891baf774f5d472cced75a52c5b5d
Formbook
90f8a6e23c16788ef3a7adee0b9b9a03cede0905367d71a8be46d3dc24b7b759
Formbook
b87fa8da6f775f13b1d72b19c0b107e87f875f71a69426ec24b61d7fb98929ae
Formbook
cefd4eb74016e610d635972a5c7131ef8f253b6309cbeb5a3db216b506ef2185
Formbook
ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5
Formbook
+ 2'743 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:by94 rat spyware stealer trojan
Link:
https://tria.ge/reports/230502-ljrrgacc8x/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
1e57d4219cbe732483f587562ff34875a0ff52676fd4e8eeba84c661ef4c110a
MD5 hash:
02e7fbef565b2d4265f75662d82a6305
SHA1 hash:
081c3679099a51ffed77412a4958295a16271624
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/010a06e3-a5f0-45f0-af22-b8029d32642a/
Parent samples :
70bcbadb3a0abc69b680eb0fdb9c28073dcac6cf7230c855c2bac00943d81485
7145d9d7dd02971872d0f257c6d833125882a9a710d5a631f3f4e2adcdfec125
6f6b3a191b4aad04649e0a6da4c6d2d73f037813cbeb84f4635c1a0d06ea2252
SH256 hash:
7fd98bfe84e29f3d2396280a38bda1ce1bc4a79cc55fcdb079eee9461684fccf
MD5 hash:
4a1f8a7c515ef35593e7c709ebea0bda
SHA1 hash:
b155c14a9bcedeefda58ae047a2a7168c5d9c5e5
Link:
https://www.unpac.me/results/010a06e3-a5f0-45f0-af22-b8029d32642a/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/010a06e3-a5f0-45f0-af22-b8029d32642a/
SH256 hash:
a3f06c0eb98b3402b12c9af137241d9e918b3fd0e6a1cf1253523b4768d66981
MD5 hash:
0354251b1721c33abe136b1d1dec7ecf
SHA1 hash:
84254ee864c8cc611799801f20d331fc4f6af174
Link:
https://www.unpac.me/results/010a06e3-a5f0-45f0-af22-b8029d32642a/
SH256 hash:
8362a107d309eb065d84b5780573c9fd37827ff8f975eaa758b6cec1091172fc
MD5 hash:
c23099f8f63823b69870bfbf7749ecef
SHA1 hash:
2651b69408237d6854e68fc610ea8bb12acae4fd
Link:
https://www.unpac.me/results/010a06e3-a5f0-45f0-af22-b8029d32642a/
SH256 hash:
59c53cc940ddf58a00d4f72c25e1bb88c5dae8c7161e8d046fd5248b050babd0
MD5 hash:
9538ac558565ea46c3692fbe5c4befef
SHA1 hash:
795dd8d27e5d67e9f4382aac03e71c05bbae0635
Link:
https://www.unpac.me/results/010a06e3-a5f0-45f0-af22-b8029d32642a/
SH256 hash:
7145d9d7dd02971872d0f257c6d833125882a9a710d5a631f3f4e2adcdfec125
MD5 hash:
4d4fa95111e180bb6072b32c98ebeb28
SHA1 hash:
dcce0de0ddb73ff8acb0ffa7ef095724ac4f2487
Link:
https://www.unpac.me/results/010a06e3-a5f0-45f0-af22-b8029d32642a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7145d9d7dd02/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7145d9d7dd02971872d0f257c6d833125882a9a710d5a631f3f4e2adcdfec125

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386038/

Comments