MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73d9d803595c81a20d7e3627aa3cc96d07020e4f7be1f047a482be30b9091f22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73d9d803595c81a20d7e3627aa3cc96d07020e4f7be1f047a482be30b9091f22
SHA3-384 hash: fa6e84a011647618f70d4c33284bc580e09027f059b90a1f5dd1646696a6c78eca2665a491d4e016d2b87eec88bfd6ce
SHA1 hash: 6047b03af759495b4222ed22ba3038ad1681d707
MD5 hash: 3b028e2a0c90186aeae26f30b5a02999
humanhash: grey-friend-jersey-charlie
File name:order confirmation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:832'000 bytes
First seen:2024-12-02 13:10:51 UTC
Last seen:2024-12-09 07:29:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'739 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:P1MDxjoG/NgmA9D/TDidUwaPJtD5ePpf:PmDOG/N4+dUhAf
Threatray 1'207 similar samples on MalwareBazaar
TLSH T1870501102266DA07D5E20BF40662E2B497789E9EA521D70F5FDA3DFFBD3AB051080397
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
384
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
order confirmation.exe
Verdict:
Malicious activity
Analysis date:
2024-12-02 13:23:35 UTC
Tags:
netreactor formbook xloader
Link:
https://app.any.run/tasks/189e297c-4c56-4956-9156-e66b489f6d60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674db3fae64d1c722d7b5978
Tags:
virus gates msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed packed packer_detected
Link:
https://www.filescan.io/uploads/674db1ff2ed0555438f224f9/reports/5c8ecbd2-90ae-42ee-b6bf-a9c866409dd3/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/73d9d803595c81a20d7e3627aa3cc96d07020e4f7be1f047a482be30b9091f22
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b9ae855-031d-4322-a08c-d43d76e6eb25
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1566605
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/73d9d803595c81a20d7e3627aa3cc96d07020e4f7be1f047a482be30b9091f22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73d9d803595c81a20d7e3627aa3cc96d07020e4f7be1f047a482be30b9091f22/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-11-29 11:05:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=opm5qa2zlsa2edl6gyt2upgjnudqedspppq7ar5eqk7dboijd4ra._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
2ef8e6a7e290f566d0e90f72b8567fe92952dcf6a0f29c673c64794b7d799c41
Formbook
2f8b625544a974b1d801bc2de338dca23abb89fd6d49b5b9bb8ad2dbbb7e41ba
Formbook
56074e8ad9bd7ee8b56c2bbd5c826c7bbcb1819dd0145c7a2733b8ce3d78938e
Formbook
b2a1e0e508be9c7546a8af45c72f2032f067ac036f03ec0c8309b368b195a65c
Formbook
bfd4e29505627b76243c4ea34c07b22af7edc00391b112e78c2dc3cf7a48d742
Formbook
+ 1'197 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/241202-qeyrfazqdk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e6663889-e7f0-40e2-b019-209f8021c964
Unpacked files
SH256 hash:
f5af229f1296f69829d4f49ec1e653ec030e33b679b210bce8fca7cd86f63232
MD5 hash:
7e217d116d9e5083d0e63ab0f3d7822a
SHA1 hash:
1d93dcda0a5dd2713fd95a65f96c537955757c09
Link:
https://www.unpac.me/results/10a62225-8b20-4140-857a-e7215db3e6e0/
SH256 hash:
0c5b240a572dc93a2fbfadedb3d8546d6135073ca453314e2bea846d71ba80b4
MD5 hash:
44d0bb82f0f405a4e28d3276806acbe4
SHA1 hash:
6bd49361ca634a35077742e8b5386bc626838369
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/10a62225-8b20-4140-857a-e7215db3e6e0/
Parent samples :
137e0a944efefef514d0595cdfade088a59eb12404a1469e76cd024ebdb2d1f1
73d9d803595c81a20d7e3627aa3cc96d07020e4f7be1f047a482be30b9091f22
SH256 hash:
6e4873d6228ddd5c2cd9135a4b50224b0099557e16064d4e53e91160500b89ea
MD5 hash:
712d10cc8ec1a2d41b2bf2b18cd26a13
SHA1 hash:
6ba14e55c2ef2841b12f3c3f2a699263c0dcfb8b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/10a62225-8b20-4140-857a-e7215db3e6e0/
SH256 hash:
716a5131bd5886d87bbe81648830ce61b345dd89df3e78ad84b1a9b994654d8e
MD5 hash:
608e824f6d7d8db19f882687324ef5b0
SHA1 hash:
4b68d049df1b43db283a77cb2e57cea03d407a7d
Link:
https://www.unpac.me/results/10a62225-8b20-4140-857a-e7215db3e6e0/
SH256 hash:
73d9d803595c81a20d7e3627aa3cc96d07020e4f7be1f047a482be30b9091f22
MD5 hash:
3b028e2a0c90186aeae26f30b5a02999
SHA1 hash:
6047b03af759495b4222ed22ba3038ad1681d707
Link:
https://www.unpac.me/results/10a62225-8b20-4140-857a-e7215db3e6e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73d9d803595c81a20d7e3627aa3cc96d07020e4f7be1f047a482be30b9091f22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 73d9d803595c81a20d7e3627aa3cc96d07020e4f7be1f047a482be30b9091f22

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments