MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7616904db54d77cb25cc58f279bfdf6ef5cbabe19573cbd781238be01daaa1c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7616904db54d77cb25cc58f279bfdf6ef5cbabe19573cbd781238be01daaa1c4
SHA3-384 hash: 4ac18afe0a3dcbc0c8d365b15d697a7a9ad83762a59c76fb0e07b55fefed058e8e2d56aa26cd4ac41d7974d9238a5cf3
SHA1 hash: f37255d99c5bff5c1e60209d7afee3445e277e6d
MD5 hash: e392c45451247441d1763095db3cd57a
humanhash: wolfram-don-missouri-bulldog
File name:New Purchase Order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:733'696 bytes
First seen:2024-09-18 07:00:57 UTC
Last seen:2024-09-18 09:31:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:NVYEZ6MDir5xlYeurNrB2bUyH8sETibdXEBYqLy+Z2WY13yxMWZIzM:POr5EeM16zcsAibaj7Yiqtz
TLSH T11BF4017123F4DD29C2B90334A431E33999255E9BE239C162FBDE7D97BF2AB015527202
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon ccb2b2828bb2a280 (4 x Formbook, 2 x AgentTesla, 2 x RemcosRAT)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
430
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
New Purchase Order.exe
Verdict:
Malicious activity
Analysis date:
2024-09-18 07:08:26 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/06c59f0d-4ca1-4dfe-97f4-226612432ff7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.9791.8273.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ea7ab75d6a2b58599aa114
Tags:
Banker Encryption Execution Generic Network Msil Dexter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/66ea7ab6bb9fe02b41b484e7/reports/77f97597-bc87-4618-8acd-d4fda6c9e52a/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7616904db54d77cb25cc58f279bfdf6ef5cbabe19573cbd781238be01daaa1c4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff0f5be2-f1d9-4df6-9c9f-9d469b99c2a7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1512971
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1512971 Sample: New Purchase Order.exe Startdate: 18/09/2024 Architecture: WINDOWS Score: 100 59 www.nevsehir-nakliyat.xyz 2->59 61 www.nosr.net 2->61 63 11 other IPs or domains 2->63 75 Suricata IDS alerts for network traffic 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus / Scanner detection for submitted sample 2->79 83 11 other signatures 2->83 10 New Purchase Order.exe 7 2->10         started        14 hbaiQWstL.exe 5 2->14         started        signatures3 81 Performs DNS queries to domains with low reputation 59->81 process4 file5 51 C:\Users\user\AppData\Roaming\hbaiQWstL.exe, PE32 10->51 dropped 53 C:\Users\...\hbaiQWstL.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmpBCD4.tmp, XML 10->55 dropped 57 C:\Users\user\...57ew Purchase Order.exe.log, ASCII 10->57 dropped 93 Adds a directory exclusion to Windows Defender 10->93 95 Injects a PE file into a foreign processes 10->95 16 New Purchase Order.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        97 Antivirus detection for dropped file 14->97 99 Multi AV Scanner detection for dropped file 14->99 101 Machine Learning detection for dropped file 14->101 25 schtasks.exe 1 14->25         started        27 hbaiQWstL.exe 14->27         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 SguBfrlSDIFxPr.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 103 Found direct / indirect Syscall (likely to bypass EDR) 29->103 42 setupugc.exe 13 29->42         started        process11 signatures12 85 Tries to steal Mail credentials (via file / registry access) 42->85 87 Tries to harvest and steal browser information (history, passwords, etc) 42->87 89 Modifies the context of a thread in another process (thread injection) 42->89 91 3 other signatures 42->91 45 SguBfrlSDIFxPr.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 nosr.net 82.221.128.183, 49723, 80 THORDC-ASIS Iceland 45->65 67 www.complexity.pub 217.160.0.127, 57951, 57952, 57953 ONEANDONE-ASBrauerstrasse48DE Germany 45->67 69 4 other IPs or domains 45->69 105 Found direct / indirect Syscall (likely to bypass EDR) 45->105 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7616904db54d77cb25cc58f279bfdf6ef5cbabe19573cbd781238be01daaa1c4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7616904db54d77cb25cc58f279bfdf6ef5cbabe19573cbd781238be01daaa1c4/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2024-09-18 02:14:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oyljatnvjv34wjomldzhtp67n324xk7bsvz4xv4beof6ahnkuhca._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/240918-hs782ayakf/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2b758799-d9c0-40b3-bf1f-2e77fb758fb6
Unpacked files
SH256 hash:
ed84e742622297425076d7af18a8d69a2f1c3d91418af54eae4272826cad8802
MD5 hash:
cc57a85478e3dc472bf8b8c158a2ee72
SHA1 hash:
7eb6e96fdeb7a1902bf4cd5077710db365235d1d
Link:
https://www.unpac.me/results/de4064a9-2d23-44f6-8cee-9a4b56f2e289/
SH256 hash:
a7ca8f668bb1dd9b056bc14a6bfb247c8348788c320171723c42d857f98d4e0b
MD5 hash:
0f3d4ec95e9a777879cc235877f239da
SHA1 hash:
e8366fee7d27cf4279b74ca927c3ee1e8d5380d6
Link:
https://www.unpac.me/results/de4064a9-2d23-44f6-8cee-9a4b56f2e289/
SH256 hash:
6f2b1e64750ac93d6e6553a7bbccc835c582a6b30ade830b36a3b466b83f02ff
MD5 hash:
15936e972f9ff3f2806996a6e94b82e7
SHA1 hash:
8c38bc3b96c2bb7d3b853b6ebbbd4ae9b27f23f6
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/de4064a9-2d23-44f6-8cee-9a4b56f2e289/
SH256 hash:
d1f4761e2e1e15fe454a70864c3aa1da7d6dc90582222bbd7e6d53d0bbee6f62
MD5 hash:
b08a9c9cb485bd7567bf062922a1e897
SHA1 hash:
3b5781fb115d06bdede80cb6ff627fde1a50d9f5
Link:
https://www.unpac.me/results/de4064a9-2d23-44f6-8cee-9a4b56f2e289/
Parent samples :
e0c6754a29f3aae510a03bbfc2f03a576fa27bdb4915b35649b357912606fffa
b222db5c481e3e1421f07bd35fe5022b912d3e70214c254a00d9e8ec5c382987
2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd
c30bcd2377714775a591adfba9ffcbc833f646bf9669829acf1d0dd0c07e030d
9c7df3a3e8174fcad51ce98aa8875fd72b8e7acadb309ad8b6ac59e8a0c1d65d
39454a1ce8c389d837bb510efe44858712813fd3ef611822af3a1e5b0f64f52a
b4ea9fc8891fce7e255d583efa962256b0dee44df2de28f0e4d4ae8145f0ca5a
019c0bda2cdb00d88ddd70fae9c57490c14b218aa3c2e9f383f75fa415c03168
00bebcf6a27277b5060ea1264725f496a99b7e5d06649e6e8c9c8ad24055ec61
0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719
SH256 hash:
7616904db54d77cb25cc58f279bfdf6ef5cbabe19573cbd781238be01daaa1c4
MD5 hash:
e392c45451247441d1763095db3cd57a
SHA1 hash:
f37255d99c5bff5c1e60209d7afee3445e277e6d
Link:
https://www.unpac.me/results/de4064a9-2d23-44f6-8cee-9a4b56f2e289/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7616904db54d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

z cd2faab1666b4e3e14ef82edbbb64c6d4260576691dade68fae132314adb8f70

Formbook

Executable exe 7616904db54d77cb25cc58f279bfdf6ef5cbabe19573cbd781238be01daaa1c4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 cd2faab1666b4e3e14ef82edbbb64c6d4260576691dade68fae132314adb8f70
  
Dropped by
SHA256 c55474b755b8eee2a1372fda5c10eb0fc1af7f76047adf4f3b387312813d0cf9
  
Dropped by
MD5 44c19ac0dab845f17f682d5923145a2f
  
Dropped by
MD5 f83114444eabc7496908111f1de82b30

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments