MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75f1e56e5e512b3271f6d885e5f316de1572c79b0a3639ec8392d44748635893. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75f1e56e5e512b3271f6d885e5f316de1572c79b0a3639ec8392d44748635893
SHA3-384 hash: ac8f038e8881547120581a3d02032c145cc7b0e59c49217d00e4edc55655f7ac0d53fec71d16dc642ed9c0dbb9e60d18
SHA1 hash: 6d6b2b51fe70c3af25a875056dbc5bc7d8a8fd24
MD5 hash: 05077ef58bfcc4b673d84ee14a9e9ed9
humanhash: bluebird-alpha-spring-illinois
File name:PDA-APPOINTMENT-LETTER-DOCX.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:807'424 bytes
First seen:2024-05-20 06:17:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:sWtL3BEiN1kIF6P7b2K2DDrd/FjXl37yRd:HJBEicES7b8vvjXE
TLSH T1740512B272894453CCBDA9BCD043451863B29FED6281D5C48FFD71D88EA27849DC2E87
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
75f1e56e5e512b3271f6d885e5f316de1572c79b0a3639ec8392d44748635893.exe
Verdict:
Malicious activity
Analysis date:
2024-05-20 06:17:43 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/e1bf4f3e-abc1-469a-a1dc-f38533238721

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/75f1e56e5e512b3271f6d885e5f316de1572c79b0a3639ec8392d44748635893
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/52c0adde-3851-4930-9c92-081d1a311ed2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1444122
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1444122 Sample: PDA-APPOINTMENT-LETTER-DOCX.exe Startdate: 20/05/2024 Architecture: WINDOWS Score: 100 28 www.d99qtpkvavjj.xyz 2->28 30 www.kohfour.com 2->30 32 5 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 50 5 other signatures 2->50 10 PDA-APPOINTMENT-LETTER-DOCX.exe 3 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Injects a PE file into a foreign processes 10->62 13 PDA-APPOINTMENT-LETTER-DOCX.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 gDSIilYbkicAbXghLxyOHOE.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 raserver.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 2 other signatures 19->58 22 gDSIilYbkicAbXghLxyOHOE.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.kohfour.com 216.40.34.41, 49714, 80 TUCOWSCA Canada 22->34 36 www.fruitique.co.uk 212.227.172.253, 49715, 49716, 49717 ONEANDONE-ASBrauerstrasse48DE Germany 22->36 38 2 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/75f1e56e5e512b3271f6d885e5f316de1572c79b0a3639ec8392d44748635893
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75f1e56e5e512b3271f6d885e5f316de1572c79b0a3639ec8392d44748635893/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-05-20 05:37:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oxy6k3s6kevte4pw3cc6l4yw3ykxfr43bi3dt3edslkeosddlcjq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240520-g2l7gsfg31/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/96382282-5edb-4524-ba00-31b8e89cb09c
Unpacked files
SH256 hash:
2770d64ba970a95b919e98dd0402c9863edba74c92f39095bd1c6d859f9818fb
MD5 hash:
10f06cba25a5cf29e0cd8a4302be3546
SHA1 hash:
8f7a56a7b49e9ecb9c70314124aa55d8696ad7a2
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/6df089d3-dc88-419e-9b69-56eff12b8e85/
Parent samples :
75f1e56e5e512b3271f6d885e5f316de1572c79b0a3639ec8392d44748635893
ae7293552618e185011eae4c59f640133a5425b72ffcb428ccff9eca5147c7c3
SH256 hash:
2d2988efe051d2662cfb6ea4cc4f5c00da70895ce183aa655ff74e7cf5e2df9d
MD5 hash:
5c011c095efebec446498caf4a1eca6d
SHA1 hash:
71666dfff5e4d5ef458b22d85dd9ea5d60eb8f5e
Link:
https://www.unpac.me/results/6df089d3-dc88-419e-9b69-56eff12b8e85/
SH256 hash:
a13c3bdf634477fa29c8364adb717f0c3b08967f2ef94d3aac36736231026a1a
MD5 hash:
2bafe3a29094a33403b83b3dbe7369f8
SHA1 hash:
ebeff033d50a05a1e401cf7bf9309ad392e5b3cd
Link:
https://www.unpac.me/results/6df089d3-dc88-419e-9b69-56eff12b8e85/
SH256 hash:
a72cc8784b3e28e463e7c6694310494524f00d05c81097faa22bb7350fa5461e
MD5 hash:
80b34284eaa6e0e3b5398e13383da3d0
SHA1 hash:
c7f512c66e72a22bbf6b8af42288a0e0b8ebde59
Link:
https://www.unpac.me/results/6df089d3-dc88-419e-9b69-56eff12b8e85/
SH256 hash:
f540e8d603962027b3a1f8b86d035281bfbdd3a05a621ead255825bc2082632a
MD5 hash:
d172f59251b97b415b621d302e1be2b7
SHA1 hash:
b1534e603749c901b5ac185f20e281f6be7fa908
Link:
https://www.unpac.me/results/6df089d3-dc88-419e-9b69-56eff12b8e85/
SH256 hash:
371171eaf5720fd6328ddb8fcb21a9cf1b3aaed9b2bd05862fc944783d1b981c
MD5 hash:
ea890bae7822f78ccc03e42cfd7b06eb
SHA1 hash:
dd9a8d9cd66da163a4bec3a90875c7b772efbcdf
Link:
https://www.unpac.me/results/6df089d3-dc88-419e-9b69-56eff12b8e85/
SH256 hash:
6b78a5d66b43a61b0d6712d8d66c2d2a38398acea396ffa3c3ed5dc662256b6a
MD5 hash:
5712e8c8199833d9201dae4a34c0da27
SHA1 hash:
6e679bb1d75f5d853b8fbc35217a98b2cbfec4aa
Link:
https://www.unpac.me/results/6df089d3-dc88-419e-9b69-56eff12b8e85/
SH256 hash:
5af1953d0be5732434e50b0b2c5ff803bf3346e2835c19c1e8e56c28c67949cf
MD5 hash:
3797c321f762c7593761c34ccab60974
SHA1 hash:
6b1c83c9e50a22896b631bc82c5dcdca06989c09
Link:
https://www.unpac.me/results/6df089d3-dc88-419e-9b69-56eff12b8e85/
SH256 hash:
cc366d635c31c5b9c88eb9432f73b585a172cf7e0bfb1bcef8ec3f5a94673247
MD5 hash:
d2007d2954ad541319d20703dfdd1713
SHA1 hash:
144b88fc65cf95e3dedf32f1d4a586f5d3e3c357
Link:
https://www.unpac.me/results/6df089d3-dc88-419e-9b69-56eff12b8e85/
SH256 hash:
1094ca7cf7e71b816d25aeef5709e461274249e8823c22b90e6bdcdff1298d65
MD5 hash:
d0c83f007b4373f541d25207ec30968a
SHA1 hash:
0e4bd1d94adb3e46f6d7f6a0bed9b71951009001
Link:
https://www.unpac.me/results/6df089d3-dc88-419e-9b69-56eff12b8e85/
SH256 hash:
3295af4d7c9e530291255c270566f39da9321836ecf140ff16734f7202f87ee4
MD5 hash:
4e01a11f42b8289136a4b647fef3b940
SHA1 hash:
042af9dfa025cd8c065e99790a0200186db824b9
Link:
https://www.unpac.me/results/6df089d3-dc88-419e-9b69-56eff12b8e85/
SH256 hash:
75f1e56e5e512b3271f6d885e5f316de1572c79b0a3639ec8392d44748635893
MD5 hash:
05077ef58bfcc4b673d84ee14a9e9ed9
SHA1 hash:
6d6b2b51fe70c3af25a875056dbc5bc7d8a8fd24
Link:
https://www.unpac.me/results/6df089d3-dc88-419e-9b69-56eff12b8e85/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/75f1e56e5e51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/75f1e56e5e512b3271f6d885e5f316de1572c79b0a3639ec8392d44748635893

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 75f1e56e5e512b3271f6d885e5f316de1572c79b0a3639ec8392d44748635893

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments