MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7439b7be3572ee86c84019ac60a182f9f183f7ce14b56a59898a9772fbddedf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7439b7be3572ee86c84019ac60a182f9f183f7ce14b56a59898a9772fbddedf5
SHA3-384 hash: 1bba2387275c326b6fc8ccf1a6d933cc91b179fe8d0c71f2983cf010df2852039aa8b97b468fbd6d6ddf1666393bf31b
SHA1 hash: 2f77979ecf3dafd8a0f6f1777f91e9433fcbfc0d
MD5 hash: 65b8f0d5e0879e399e0f0a1b20d72d54
humanhash: johnny-may-tango-table
File name:7439b7be3572ee86c84019ac60a182f9f183f7ce14b56a59898a9772fbddedf5
Download: download sample
Signature Formbook
Create hunting rule
File size:587'776 bytes
First seen:2023-09-05 10:37:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:k0Dl+C42xjW1SiEBGg6u4vL21R4yx+Nxk0wlZUvm:9yB+T4vL21qo+bkz
Threatray 603 similar samples on MalwareBazaar
TLSH T1C6C423056F9C2A2AD06F07F87859621AA3F6307A25B1DFFD6A5BB8D009777403B10772
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 6def1c8aca1cff6b (1 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7439b7be3572ee86c84019ac60a182f9f183f7ce14b56a59898a9772fbddedf5
Verdict:
No threats detected
Analysis date:
2023-09-05 10:37:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/faa4b1fe-c4d7-422d-a70e-bad4fef3748d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/446287/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64f7050bc95366b9efff694b/reports/a2d60dd4-5fdf-4686-9b8c-bebe5f83c67a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7439b7be3572ee86c84019ac60a182f9f183f7ce14b56a59898a9772fbddedf5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c07f0268-31a6-439e-8715-6ca3ff617c9a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303437
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1303437 Sample: s6iTCm8Z41.exe Startdate: 05/09/2023 Architecture: WINDOWS Score: 100 34 www.azoden.com 2->34 40 Snort IDS alert for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 6 other signatures 2->46 11 s6iTCm8Z41.exe 3 2->11         started        signatures3 process4 signatures5 54 Tries to detect virtualization through RDTSC time measurements 11->54 14 s6iTCm8Z41.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 4 6 14->17 injected process8 dnsIp9 28 gilbertdoggroomer.com 15.197.142.173, 49778, 80 TANDEMUS United States 17->28 30 www.royalplywoods.com 198.54.117.242, 49784, 80 NAMECHEAP-NETUS United States 17->30 32 4 other IPs or domains 17->32 36 System process connects to network (likely due to code injection or exploit) 17->36 38 Uses netsh to modify the Windows network and firewall settings 17->38 21 netsh.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7439b7be3572ee86c84019ac60a182f9f183f7ce14b56a59898a9772fbddedf5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-05 10:38:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oq43pprvolxinscadgwgbimc7hyyh56ocs2wuwmjrklxf6655x2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ba8b0616ca5557b8757e20eb42437aa439606de5ca3598c6a9bb7e48fddc915
Formbook
50671a5bf0d58b9a8aa7fd42a637c27d6db8f2e35a6a1faef249a7b6a779fcb1
Formbook
69ad393acce0c5b5137e32460e432977fc48d5a4bc6a76ab5c6fd0b01e56b996
Formbook
6f4954a23f51c48f450992f809848da3a8bb5c1d7c4bc262332fa2507f1a1cc9
Formbook
96df12776607bce40d6ca1c8b9e79ac9b8bc8057ddf91014599e5452896ef4e0
Formbook
9a9022c2741141541b5e634dfac69e41e75887584b51424f044b525416e8e676
Formbook
a0fef35dfcd0a26bab66af912e02360f499d55297f9ce71c55abd9ef180305c8
Formbook
dfba6d9c101eb1273aaf962047fd958424bfac70a1162c2a910640981a23d054
Formbook
f14adf8284d2d04072445b5744da50141332a86ec1f28fd7ca6e316b1a7e0b24
Formbook
f43fa3268bd5d31fd1dd0f34207786c10239b21868da3a8a9c3952c371330f80
Formbook
+ 593 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:m0u5 rat spyware stealer trojan
Link:
https://tria.ge/reports/230905-mpdbpseg5v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
787c813da25b42477467fc7e802d4e4d6c22fbdb848d5269be34c41daf692801
MD5 hash:
41f468dd8c1c98647a5a0afa8fc479f3
SHA1 hash:
67f89840e6c645e4c0eab4dcfaf559b5dc5b95d0
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c9b6f5f2-5366-4e68-aaf9-6babf0e6a7ba/
Parent samples :
bc67ae3a554d2277fe852ed4b5545895960d32faba51c99d78b507fd77734d9a
7439b7be3572ee86c84019ac60a182f9f183f7ce14b56a59898a9772fbddedf5
f93c2d5447563c24b8a60a7404a32155093ecf40afeb7345490bc8ba2e87cd14
SH256 hash:
9c71f2c7ed7b14065e49e7f6b8d3e7543ee7b2b8d24d6e47c5dd027cd12fea85
MD5 hash:
68f5a458823de4b0b70f9900c956eadf
SHA1 hash:
f65acde877834f51fb5b5ec1b2bd9d8054d24060
Link:
https://www.unpac.me/results/c9b6f5f2-5366-4e68-aaf9-6babf0e6a7ba/
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/c9b6f5f2-5366-4e68-aaf9-6babf0e6a7ba/
SH256 hash:
b26a7e88c2fc5a6dbf3e1f5d8ac59c4579b3b9047f462c5cb7ee79548fa18da9
MD5 hash:
06dc1333af7361fb9ebebe5c4dbe58e4
SHA1 hash:
1adadf881904c5370e96c0a566085cf3c83ca8d0
Link:
https://www.unpac.me/results/c9b6f5f2-5366-4e68-aaf9-6babf0e6a7ba/
SH256 hash:
7439b7be3572ee86c84019ac60a182f9f183f7ce14b56a59898a9772fbddedf5
MD5 hash:
65b8f0d5e0879e399e0f0a1b20d72d54
SHA1 hash:
2f77979ecf3dafd8a0f6f1777f91e9433fcbfc0d
Link:
https://www.unpac.me/results/c9b6f5f2-5366-4e68-aaf9-6babf0e6a7ba/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7439b7be3572/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7439b7be3572ee86c84019ac60a182f9f183f7ce14b56a59898a9772fbddedf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446287/

Comments