MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949
SHA3-384 hash: 194d92eefa703603d01da34e43243d29da3f22d5a2265aa71fbbe44271b19125a0126ce0f72d2b680d479913727b0b5b
SHA1 hash: 79db5200b956902dd4af64755db95edaca0129ce
MD5 hash: 9176362e4e9cf5e872971aa8dd3fa568
humanhash: north-glucose-michigan-mars
File name:NEW ORDER.249015-RFQ.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:839'176 bytes
First seen:2024-09-30 08:43:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:j3UxdU3TzNnE9GyJdZXKJEGIx8cSYByqwrLq0THGT+Z7k0Wf757/l8SYhvWWkR:j3UxonEIUd5EVX0yqwvqcGEIxYtWN
TLSH T14505E0D03F36B30ACEA85830D67ADDB592A51E68B00479F3A9DD3B5B759C111AE0CF06
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW ORDER.249015-RFQ.scr
Verdict:
No threats detected
Analysis date:
2024-09-30 08:20:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2a788faa-95bd-4b12-9045-998154fccb0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.5983.6850.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fac460c85f12c405da6fae
Tags:
Powershell Injection Exploit Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade overlay packed phishing
Link:
https://www.filescan.io/uploads/66fa64d7ac7403f51790b5ca/reports/45f33e16-5925-49f0-b682-6955c4657414/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cf2e151-3b14-4fcf-b1bf-06cd7c3f4704
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1522548
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-09-30 05:42:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=olw6yejr6oh3dylvhsiictpaidwpobivujykd4otjaojdfhwxfeq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/240930-km58lawbkr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/31dede94-a6fb-4f61-b449-ea76cc093e98
Unpacked files
SH256 hash:
643dab89a80f94480007884f32e44a49f7f6a2ff5b1c3907e40085a15d7eec63
MD5 hash:
888c218f3606cc24d81bfb8a770f6314
SHA1 hash:
30a7423914d10fa2106e893fe23fd59f8c75d496
Link:
https://www.unpac.me/results/f2eae09a-87b6-46c6-95b8-c278139ed65a/
SH256 hash:
2b8de65546f51aa1495137b6106be71171f9c98f5345ebf932e7e299f197f14b
MD5 hash:
6cfd9bfc81a361742340c4e0aa0f90d5
SHA1 hash:
6246d2bc549216c8250513986d78104fe44b5975
Link:
https://www.unpac.me/results/f2eae09a-87b6-46c6-95b8-c278139ed65a/
SH256 hash:
c326bb525f050da06ed453ec296caddb8ebc29aedcc8476a6d303f4e53201eb0
MD5 hash:
3fdc63e5511cc90f5514b2064174dba4
SHA1 hash:
d14f393d6fae895d47f3d680215349c0da3d31b4
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f2eae09a-87b6-46c6-95b8-c278139ed65a/
SH256 hash:
d2174ddc2b6341b898b939fa0661d2a1cd8d485f5237427331f0d889672fbe7e
MD5 hash:
221f891053c35a694d7b442b7909d086
SHA1 hash:
81cb6829a184bae91927dc8b57744e895355b281
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f2eae09a-87b6-46c6-95b8-c278139ed65a/
Parent samples :
509070cd30eb4cb05c29fe8cb222166c1c7db0f6084ea5b91e37bac79c14ac30
7ef4c75ee4a5f3b7f2ac44323d9ba15bcd24f5d0b9e3e04dc330dc6cde421b7c
97fb0388618e3d977b390696f4ca19e38f0e706d70a40726bab9ed8dcdcd036c
6b8c990c92c37f014fc93efd79c6fbb3a22e8da7961e9333644bfeac353a2ae2
49a6d4dde10788e5000df6a0fad4be9ab17567fd1314b64c3d7be0257adcbc65
72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949
9ca5a71321522f47140b36e5f1983cff7455dd124caa231d97df29cd654c6893
85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820
c7ee9124f10a69564f9f096cc641aaf1c005a5270c8b62781ab71ced91a941d2
5ea66e4e338b5ded7b00ad1575010d7c1149341323a646069f3b00a518f300d5
c89c37f0b5dc89251da6c37aa8e1071c43d52c80fd2326f1e6de8dcd5eaf0dfc
c6ae41874ccd5d6c3e6da49cae6d0a0e8eee20e7037896b38f1e4523dd9543c8
08d86feee2707af5c57b4ffa8663c0e447c7425c39a103906cf15eae7cf1df9d
a433aa981a5cbfd5fae678c523b088d034f61f57dcb61232fbaba73657867b36
2095af004e76f0cf7243b68e868eeb3b9c8c157d632aa785a87a93addf3b75fc
9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e
822e06191849b35415693155a46edff39c41db14f3dce949120456c1b7b55892
79bcad797129c0be508de0fe7b0462b1aaffbafa74a4e7019a4561deb674f4bd
0dfe79bf85e9cfcbcd5ffa2cb21370eaf78d80d27ae4b4b0c5087afad5c6ebb8
156b1cea1a2f649e332be482047de3d368f5f7b7e93eb4821692ada17a69fc75
b31cbc6ec2eb2b790c422f0f960bb1436106d92958703cb005ccdef38887e310
c01d1b77062d28f497480aac1c2ad019d88b9f12a8db4405065cd2a9f3086191
362207c53645346df6f36cf3f7792e5fc4655895b35a6e3477e218e0e0007be9
3e26ebdfbd46dadcbf46c199970362689fa6ca0e0abb65ec703ca21d08b7269f
3279f79164633c0881c50971c98ca39bc9367111410f77582700468f2c0e3dd1
38f275624c634801c164c2c8f3294cbeea49b47e8e8d83bda53a0bc8aa7f7106
1897d47010a97079de62b957827fbecbdb4690ead4a51417fa6f1dccfc19f6c5
ece8d193afdcc6ec2c024e2441f7c0ce25801143573cacf71cf059de9a337275
b92304c2e680f54345fa77f77b0c507f93d05d43547e819d2ebf53a31e48ac97
f25dc80bfc742a0e8091d216ecbc033d93e71d43b31bbefb3ec9ef6cfc637cee
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
1cbf1a11cb59b7a4135093c3e6b11be6b81ba57fb30707de145a1d41506760a6
6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41
d55b00b7cb5305371e1cc170179e7025cc517b810e57992adab16893b410985e
12af745dd8353b25857dc4bd3d3282f21c960ab55d3dece7e62d7a10a9aae810
60712b6d9bb023934b8d27fc6f54b3543a5ebfcd229cd1c4cb8f8dbaec08dc99
520fe428b0afdaf20673224c5004c004ab1d1dfd492cc54a37e362af8a844005
8f49d498d3ed3ff8f66d7f22a4ab6b7747e2e799662ee75b2019304e5dbc6dde
884c0261a0c4ff07790fa549a0dc1d752bd97ef3e0635536193c585a291a7281
368305c8a62f4edc3ab1b94d1242e5438b7d7c14a6c65f7beb4aad32b1984821
c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c
27ff307b514230b2363e2284e1d57df50bc8a59b5cf8c732dc32d5587d472c64
407df9654a54792ee72730f5dae8bd303d7d92a24a5fe0a5bc83f634bab7a235
8b528f3a173e7e40394c21bb0cfa0304ef12b58ab185de1da8e4b4e5231eee8a
afef519b2380d9483a1b51eaccf235593140a75641e5a469d130f2d48ffd5268
a327355ae6e99929d1303a762ea8a936d8e4884f45d683de08dba6882c1c016d
ddad2801522370c2ca5c4ec41663b36a88ef6be171867f23f084c0fa6ecb1055
5a227bf354dbad129be8c6e1b82eca5bbe6f27587a522fd5fa9e30bdd61b8618
02abb1d01386d7d7ffd8debc2c0fb09baebb82d88b8f758e4de3f0deaaecfbf9
65b4919d036f5dc3a1dfe9b62510ed4e578a87dccf862df6fbb8524894c2965d
a77754ef6de4a61024e443178b88e50be8b1994f87b323ed7fa5f2f197acdab4
780354ea81fa066b085767d98d878a9b891f7febea281d2e09577b424a6ab47d
b9f4537fa4b470f09cc62c1c706004604498c9405e638712eb4f2ea6a6b1876d
4ed81a9a25e52a99d76805b081679cfe3628756be4bda6a47e365506c7df3a0c
3376b495c19dc3e179dfb2ef072a362c2d26ed59b06266dd7dbf080a80a005f6
0ad205b2d883bca56250246f308228379c27f6114d8b740014deeef53b3412bb
01ab4d20ae687b065b10fdf3f3243a46a320dcec4b3a9a8e0cafcc0878aa1800
bf4ab91b352744a5ac16ef96f4c25405b993ded0aeaed9c09efbddab513877b9
b1fb20d5857d1ca65dbacd6cb100dc2d7da8eb7ce54d4faeebafb2bbb212beca
03b5cfab3f0ffdf96e415006004be9a0c05e6365e1d5834984cfd5cea9df85fe
3d4bfc47bd88ef39e0780482a1b0fde1cd85772ddce25d9905d88d48b5b96a4a
e407720bcc7f5845bb9cf84c1c1209ef6e2afd339518359f86944c5f6e019b09
e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633
20f9d4cf5cd85fa7cf0d58b55409f75f9af0b952d3b573bffdd21966d9a3f396
SH256 hash:
72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949
MD5 hash:
9176362e4e9cf5e872971aa8dd3fa568
SHA1 hash:
79db5200b956902dd4af64755db95edaca0129ce
Link:
https://www.unpac.me/results/f2eae09a-87b6-46c6-95b8-c278139ed65a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/72edec1131f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments