MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622
SHA3-384 hash: a0010bb650fb49677de2b847178cd47063eef2e83d533ee0780ad4c8809ba50819d8fbc588b3c5ac549a60f00ebd422d
SHA1 hash: 4b86d5a325f991ac6dfca0600e0b97625be7ab2c
MD5 hash: 069d90834a9888dac4685f5b02b81d95
humanhash: zebra-johnny-montana-pip
File name:RFQ_CIF Xingtai, Hebei PORT PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:955'904 bytes
First seen:2023-05-05 19:44:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:sZ4ni4IyUCNyFL5Q3WHsrb3SQ4NQlayr/LX9XxMWz1sFZ+ocJkOP7r9r/+pppppL:sKsoM5Q3Ww3V4WlayrLXrVCDTikO1q
Threatray 2'743 similar samples on MalwareBazaar
TLSH T1B6158C81D19587A1DC3A9BB01539F83003737DAEA8F9D91D0DDA3DE73BBAB82241550B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_CIF Xingtai, Hebei PORT PDF.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-05 19:44:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d5d9c1d6-b547-404a-95dc-48ec9be5f364

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387016/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.99252.3361.2368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64555cbfe9d38c7b451ef456/reports/5d5e01ea-432a-423d-b073-a282dfa6f445/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/049ec724-d0ee-4670-a71a-d948b950a0e7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1227316
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-03 07:01:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
58
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=opi6hlxyt5kcfi7ptha3dawlq6u2vr3wktwebwcjxd2pm5nnuyra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2c41ec55217c805b8a73085daa06089d01cd601d1bc16a0099be113222e0446b
Formbook
3dca60e7a32bc81165f399bab2162271332156e05c490ed4af3972713a1cb0f4
Formbook
44a297e5ccf344c0422f4f80b2c490f2650bf44c142f131378b2eb6a6507bc9b
Formbook
61141d9453d13d203de8255903f1aec9fea4906616f000cca0b906a58d754cca
Formbook
8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b
Formbook
92260cefa8e973f4c40e32aa5656cc9794b745db70b5c7b410a7b0b10c443c6c
Formbook
b5f2e0b49faad7f9714d0b1088965647eb83d8772b234555738bcea1094dfd2f
Formbook
c2720f6ee1602fecf28ce957b38accc0ebd54a27a466872b4863bb3edf063670
Formbook
e843a90ec56b0efbd176b3856d811875e24b98ae6fdf77985e1b77916ab4259b
Formbook
f815d1ea14ef2734defc99e94b62ea6d0fd6a98f15a17c4476eef17b14f2587e
Formbook
+ 2'733 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230505-ygc7hscd31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
9c0332033cc4aff58a7e965c7aa1898fedea5208f18ce79f2288290f5565c4bc
MD5 hash:
78bcb4f17e7012f839564dc1d7930cf9
SHA1 hash:
c4d4e3f45917faa856e69ed4f45e3c4bb17afadf
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/f5fabadc-f39e-42eb-8705-fb7e58ec8f4a/
Parent samples :
f815d1ea14ef2734defc99e94b62ea6d0fd6a98f15a17c4476eef17b14f2587e
73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622
b8a70013e02074ef65e40f9ceb419540d39121ec06a2eb01805f24e80f079627
4d9d3571a9694b594e2be0b578c92ace288b1446aa514b5d0606f2809783e6f5
SH256 hash:
958d1dc1b7321d5e6eff78652e8613e59bc6621bc98a2a6cb8f74eeedfaee9bf
MD5 hash:
b00cd696de344241cc4a2c4bab86b638
SHA1 hash:
d113054d741087f62d31a8c1097ec56872d24b74
Link:
https://www.unpac.me/results/f5fabadc-f39e-42eb-8705-fb7e58ec8f4a/
SH256 hash:
bc1df2ba41a8deee43d9e795c38ed711eaa7cae9a314fce7dd9344b170d5a6fb
MD5 hash:
ac8d58c69ac78a045a784b5552c18899
SHA1 hash:
edcbc12bdd26655e63625887de62f2b32e994d4d
Link:
https://www.unpac.me/results/f5fabadc-f39e-42eb-8705-fb7e58ec8f4a/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/f5fabadc-f39e-42eb-8705-fb7e58ec8f4a/
SH256 hash:
8bec0840a51cd3cec48dcaa43284171ed69bb135c112ac15f09650b905cea09f
MD5 hash:
203c67ceffcbc26c6a69c032fcf3363c
SHA1 hash:
670b4e641dc8617400f82ab5c777d9861f2865ef
Link:
https://www.unpac.me/results/f5fabadc-f39e-42eb-8705-fb7e58ec8f4a/
SH256 hash:
45d7f17fb4a959c4c42dd0564366de925a57af049541a608283e62518588dc9b
MD5 hash:
82357c3cb8b09c65ae3ea63c7a105e75
SHA1 hash:
4ed2d20a640f1efb587b54db5a88b5016d66ded1
Link:
https://www.unpac.me/results/f5fabadc-f39e-42eb-8705-fb7e58ec8f4a/
SH256 hash:
73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622
MD5 hash:
069d90834a9888dac4685f5b02b81d95
SHA1 hash:
4b86d5a325f991ac6dfca0600e0b97625be7ab2c
Link:
https://www.unpac.me/results/f5fabadc-f39e-42eb-8705-fb7e58ec8f4a/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/73d1e3aef89f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387016/

Comments