MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7480e4ba962590b3f14f4516861bb1aa80ffa08223a944ee6599cfe3b4e89bce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7480e4ba962590b3f14f4516861bb1aa80ffa08223a944ee6599cfe3b4e89bce
SHA3-384 hash: c3de656c15f06578bbe48f6a4faddaaa0888659e3e8cc1eb9c5454ccd9f6e38d509a0d009bee31f9768c29fa3dabdf43
SHA1 hash: 463778a640b327918d8e67cd2f9fa949be3b04e8
MD5 hash: 41d2899a4441944b48daba79bfb70dd0
humanhash: edward-johnny-louisiana-tango
File name:yeni sipariş pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:841'728 bytes
First seen:2022-02-07 12:20:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:0gj/bENYCnAszp78GQSQ5Kn1x8Yg60NrSbBWxOHy6kPWe1Bklb9tspOp5nAYPnyt:0EcYpspz6bYg6McBWxD6kue1alvkO
Threatray 13'121 similar samples on MalwareBazaar
TLSH T1E105D0AC725575EEC41BC972DA687CA0A73130B787CBD603912B129C8E5EA97DF004E7
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/235435/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62010eb2c79b424d72052b87/reports/4f0ad89f-ed6f-425f-975d-047e1d63f578/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3827f581-970d-444a-b7a8-bd034b3edc98
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935127
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 567603 Sample: yeni sipari#U015f pdf.exe Startdate: 07/02/2022 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 13 other signatures 2->54 10 yeni sipari#U015f pdf.exe 7 2->10         started        process3 file4 40 C:\Users\user\AppData\...\oifnpghsFyo.exe, PE32 10->40 dropped 42 C:\Users\...\oifnpghsFyo.exe:Zone.Identifier, ASCII 10->42 dropped 44 C:\Users\user\AppData\Local\...\tmp620E.tmp, XML 10->44 dropped 46 C:\Users\...\yeni sipari#U015f pdf.exe.log, ASCII 10->46 dropped 56 Writes to foreign memory regions 10->56 58 Allocates memory in foreign processes 10->58 60 Adds a directory exclusion to Windows Defender 10->60 62 Injects a PE file into a foreign processes 10->62 14 RegSvcs.exe 10->14         started        17 powershell.exe 23 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 2 other signatures 14->76 21 explorer.exe 14->21 injected 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        process8 process9 27 help.exe 21->27         started        30 autochk.exe 21->30         started        32 autoconv.exe 21->32         started        signatures10 64 Modifies the context of a thread in another process (thread injection) 27->64 66 Maps a DLL or memory area into another process 27->66 68 Tries to detect virtualization through RDTSC time measurements 27->68 34 cmd.exe 1 27->34         started        36 explorer.exe 141 27->36         started        process11 process12 38 conhost.exe 34->38         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7480e4ba962590b3f14f4516861bb1aa80ffa08223a944ee6599cfe3b4e89bce/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-07 09:48:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=osaojouwewilh4kpiulimg5rvkap7ieceouuj3tfthh6hnhitpha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
10aa7088156f972d7f44c8183c9b26c4ca290e5e1b92b59585a91b9946fb73e2
Formbook
13ce54d053256ed33282cc8e8a47f9a3c83f9b96f4230df70a7b947c55c611f5
Formbook
3662913e3004f6e3811499a9877265b55fd4b99400607d2f4b4168dc2621f1ab
Formbook
3bea5fb4e6d7f626a3448f9815c3ed932a8bf14fc7eab5739cc5dc69de03960c
Formbook
4c5d57b063eeb8b59a0d22007e4698b75e7f16d2144636fd0610661a733b5b1b
Formbook
76c2944d78f0dac034e5a7cc6a916c30e66a88aaaaf3481b9af71db7bcdf9ca6
Formbook
95773ba387f93d567c9b0dd7e7c6a71e67e9545b146231c7acfc24d040fdd249
Formbook
dcec29b67b720887c02915f7eb210942445a64e450f03bf12ca03ed345bc300a
Formbook
e5938a9efbdbf0a81790e0287b086b4a322b756db37ec4006419a6ada47073be
Formbook
+ 13'111 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:g2m3 rat spyware stealer trojan
Link:
https://tria.ge/reports/220207-pjdrdsccc9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Formbook Payload
Formbook
Unpacked files
SH256 hash:
c5b71db9f1b9cd63452ad836762bf1381ddf0a833df8ce17a3439ae9e92178cb
MD5 hash:
681a48e3a833b98293bebb8f47b2fc3d
SHA1 hash:
610f31e10da0f45fa658594f784eba651b99bee1
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d7d29d47-e3a2-4daf-86d1-6016c45c1ea2/
Parent samples :
3d28df7c5fa301b4e6d80f4bbc9dfa70bec762ca5ef085bcc8373b4b359b177f
13ce54d053256ed33282cc8e8a47f9a3c83f9b96f4230df70a7b947c55c611f5
7480e4ba962590b3f14f4516861bb1aa80ffa08223a944ee6599cfe3b4e89bce
134564f9e07f69726c8cfc19fcaf998d7f00163d704e9a2864b2d592be84d091
e9f29862ff2acf2bf4ca90262d717a32ed3236656081e6014e9b55d962707c1f
2c3c06ae684b68083640169fb962cc24fb32d4efe232a0ec0727f7c5d69dacae
dce0a6cd0dcb808bfcdd3539f85721d004f7b528832314d40149039262440349
8c3f224cf0567bbd99154105d471e29b60f5e5c0afb2683be992c9f702a7e7d9
38b3959cf30fce3b03c31286231db4d220427e31af7e3d7458792cdb3e8b895d
a0af1e02a12e827298c0209e485466f4c3ce4d3bfc9b50f778d6004d5c2abde0
a8e45b2b0117e0a1e195a054667fca524862223bd2838a17f2ac9f47fe6191cc
SH256 hash:
0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9
MD5 hash:
263b5190f7ac42d83c756dcdf38147bb
SHA1 hash:
78f419fe3936ed7d603706c47230cd3e6ff79ffe
Link:
https://www.unpac.me/results/d7d29d47-e3a2-4daf-86d1-6016c45c1ea2/
SH256 hash:
b3e89c1b8e08ef8646f037ee3243184ea293c388c3ef06a17b3629b0a7a6e477
MD5 hash:
01fdf8f51bf07b27cd5bbc02e48636c6
SHA1 hash:
3884859b3955b0b1cae42f7381c363d941d2eb31
Link:
https://www.unpac.me/results/d7d29d47-e3a2-4daf-86d1-6016c45c1ea2/
SH256 hash:
7480e4ba962590b3f14f4516861bb1aa80ffa08223a944ee6599cfe3b4e89bce
MD5 hash:
41d2899a4441944b48daba79bfb70dd0
SHA1 hash:
463778a640b327918d8e67cd2f9fa949be3b04e8
Link:
https://www.unpac.me/results/d7d29d47-e3a2-4daf-86d1-6016c45c1ea2/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7480e4ba9625/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7480e4ba962590b3f14f4516861bb1aa80ffa08223a944ee6599cfe3b4e89bce

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/235435/

Comments