MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73fb7e6a62fd32d3a0641d37119b41aa9ae24f6e0aba7e4d8c4c715cdd972679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73fb7e6a62fd32d3a0641d37119b41aa9ae24f6e0aba7e4d8c4c715cdd972679
SHA3-384 hash: f0108fa2333b2861b2409700866f02ce2c1b3a452e447f383b7cd8d5f3090591b59a249e1ffac8fb83ecde38f7cd6a8c
SHA1 hash: 8fbfb90f1f7e0a5b36689038c7eb260ac7792991
MD5 hash: fb1249910d2f305848ea42db03c6e343
humanhash: twelve-mobile-ten-wisconsin
File name:Protected copy of the commercial invoice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:687'104 bytes
First seen:2022-05-31 12:08:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:0rXpUSlB61512mi7AaPkg/wB4tsisf6jm9d6INB6wEP3Aoz:yXpUSlB61512miUSkgltsdumDVE
Threatray 12'877 similar samples on MalwareBazaar
TLSH T16CE4223966788A06C9B60BF85127D1102374C26AA347F76FED69A9E938E33D147033D7
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70f8ecccece87070 (15 x Formbook, 9 x AgentTesla, 8 x Loki)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Protected copy of the commercial invoice.exe
Verdict:
Malicious activity
Analysis date:
2022-05-31 12:17:14 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/a71b039a-94b3-42ae-a001-e897ae8ace8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275727/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.11319.236.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6296059ea1e18c0518414e67/reports/4343ec1c-7242-4d70-bdba-07c0e726c50f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a8afa7e-cf56-4341-b187-c71cbad9f1cf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1004225
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 636717 Sample: Protected copy of the comme... Startdate: 31/05/2022 Architecture: WINDOWS Score: 100 51 www.e2edynamics.com 2->51 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 11 other signatures 2->65 10 Protected copy of the commercial invoice.exe 7 2->10         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\qFPFVJxQFZZfo.exe, PE32 10->45 dropped 47 C:\Users\user\AppData\Local\...\tmpD695.tmp, XML 10->47 dropped 49 Protected copy of ...ial invoice.exe.log, ASCII 10->49 dropped 77 Adds a directory exclusion to Windows Defender 10->77 14 Protected copy of the commercial invoice.exe 10->14         started        17 powershell.exe 25 10->17         started        19 schtasks.exe 1 10->19         started        21 2 other processes 10->21 signatures6 process7 signatures8 79 Modifies the context of a thread in another process (thread injection) 14->79 81 Maps a DLL or memory area into another process 14->81 83 Sample uses process hollowing technique 14->83 85 Queues an APC in another process (thread injection) 14->85 23 cscript.exe 18 14->23         started        27 explorer.exe 14->27 injected 30 conhost.exe 17->30         started        32 conhost.exe 19->32         started        process9 dnsIp10 41 C:\Users\user\AppData\...\228logrv.ini, data 23->41 dropped 43 C:\Users\user\AppData\...\228logri.ini, data 23->43 dropped 67 Detected FormBook malware 23->67 69 Tries to steal Mail credentials (via file / registry access) 23->69 71 Tries to harvest and steal browser information (history, passwords, etc) 23->71 75 3 other signatures 23->75 34 cmd.exe 2 23->34         started        53 parkingpage.namecheap.com 198.54.117.215, 49774, 49776, 80 NAMECHEAP-NETUS United States 27->53 55 www.feastogo.com 27->55 73 System process connects to network (likely due to code injection or exploit) 27->73 37 autochk.exe 27->37         started        file11 signatures12 process13 signatures14 57 Tries to harvest and steal browser information (history, passwords, etc) 34->57 39 conhost.exe 34->39         started        process15
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/73fb7e6a62fd32d3a0641d37119b41aa9ae24f6e0aba7e4d8c4c715cdd972679/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-31 00:57:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=op5x42tc7uznhidedu3rdg2bvknoet3obk5h4tmmjryvzxmxez4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
022beee80a1abf89283d6c5008a075efd3018a4c382a00165deb171e7702a32e
FormBook
19f5a2d97c62b9c69a31e8cd0dddc9e18c852158bc1dc00a664bace1cbe7c2a0
FormBook
42c0e5f0f9d889bd6e7c3a20c23d97a88a9e2ae3ca67a731815c6a698d7de7fb
FormBook
49ba8d495c9c41fc5312136f664fc1853f7b40d0f8e418953aca83ed90fd768c
FormBook
7b3ac209ae00cd1fdb297032b35d2d0b1c0e1e66d95b1c90045e44c223232c93
FormBook
9997ae9723bd215339367807584c52f6e7c99910d5d155f10294b7a8ac55ba1a
FormBook
c7fbbdd84572a117d47a54168e71b8bd86f0c70198468486f6c3a040e9ecc310
FormBook
f40a38225821147424c40ad23f18de1859e7c2ca11ae544387aed8ae2583b364
FormBook
+ 12'867 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:m94n rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220531-pbfwsabba9/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads user/profile data of web browsers
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
d80aaddb49d6c717b700a92382521fbbfb50a6eb2bd5e9ebdd8eb576aed16241
MD5 hash:
f008511a4da88793fc33e1503fa1ca8b
SHA1 hash:
a2ecf22dacfdfac1a94db82c7ff4d50d0aed71d2
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/76b732bc-235b-4b74-a97a-5f4941411874/
Parent samples :
11dd00b072a09a1fbb102e92ed096edb02f0dac02a88a690666873d4bcd2c515
7b3ac209ae00cd1fdb297032b35d2d0b1c0e1e66d95b1c90045e44c223232c93
2206d15b819a0d6ed671d99487bb1d52b34194ad540b6fe3e93a75fc11ebee6f
2d7596387c56ea27d070940b58893160f96ab6b8e3ce084f4687a06a1a0d44a9
73fb7e6a62fd32d3a0641d37119b41aa9ae24f6e0aba7e4d8c4c715cdd972679
SH256 hash:
a2d10d3cacd717b6cd521f368a94b3c77b804706953b8bca58cb6991e269b89e
MD5 hash:
63977079418c6c7df3aa311673944cbf
SHA1 hash:
64f4afeff76fd77f4fa823a9dc5bd854a7185bb8
Link:
https://www.unpac.me/results/76b732bc-235b-4b74-a97a-5f4941411874/
SH256 hash:
47abd3ba56548ac049dfec2c622fdd930cdc489b558e37104691b663c29bf03f
MD5 hash:
02048a4ffa4e728f8208245d87df778d
SHA1 hash:
bcdd39df23f928cd86af539462bdf14562029bcc
Link:
https://www.unpac.me/results/76b732bc-235b-4b74-a97a-5f4941411874/
SH256 hash:
71693e2f8a4d4f1baf3ca3bc95d8cfdb05afb735ec6f649a91f6a847afcd53d4
MD5 hash:
0b1ae19ab642657ebbb5394237404ebc
SHA1 hash:
8b559756c704515ab2badf1bf7619e41bee017a2
Link:
https://www.unpac.me/results/76b732bc-235b-4b74-a97a-5f4941411874/
SH256 hash:
879c29560b21be7d9b69ca27ca4756df86e080fa3e34cb191aad5cb1e5f05504
MD5 hash:
30b6a54a992eae921a2eb8c5ea130911
SHA1 hash:
1c83f0319bffe007077c6656418c9b7344d5affe
Link:
https://www.unpac.me/results/76b732bc-235b-4b74-a97a-5f4941411874/
SH256 hash:
73fb7e6a62fd32d3a0641d37119b41aa9ae24f6e0aba7e4d8c4c715cdd972679
MD5 hash:
fb1249910d2f305848ea42db03c6e343
SHA1 hash:
8fbfb90f1f7e0a5b36689038c7eb260ac7792991
Link:
https://www.unpac.me/results/76b732bc-235b-4b74-a97a-5f4941411874/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/73fb7e6a62fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73fb7e6a62fd32d3a0641d37119b41aa9ae24f6e0aba7e4d8c4c715cdd972679

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275727/

Comments