MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76541f045182cd4f956ea38e70aac522dd8cc95bec94eb16ff435ac732da3b97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments

SHA256 hash:	76541f045182cd4f956ea38e70aac522dd8cc95bec94eb16ff435ac732da3b97
SHA3-384 hash:	63e7f988961783422b83e623c17e47588357a6c3e4253ce036893ec8508c6e3e0b3912cababffcf7bce4311911f1c0ef
SHA1 hash:	8b48651990fc7151f5cc9911f9fa4e18d6503297
MD5 hash:	04e2bf8bad4d45271050d4e610f421f2
humanhash:	item-venus-fish-ink
File name:	Payment Slip.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	642'560 bytes
First seen:	2023-05-25 07:28:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:s2N8jiZ4zypIP0tPplTY6RhKuvW3kwi60jSa5lzAWTJMXmad93AHR2IhSbYiCROV:s2N8jiZ4zypIP0JTDE060+clzAsy1AxW
Threatray	2'909 similar samples on MalwareBazaar
TLSH	T18AD4232DAA56638AD8B74BF209114279833E5D46F833E3074D66F2DDCE66B052B11F0B
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

245

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment Slip.exe

Verdict:

No threats detected

Analysis date:

2023-05-25 07:55:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ea0b75ca-6877-40d1-8c97-f3181c0e0f34

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/391412/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67206905.28071.3127.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Sending a custom TCP request

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin packed

Link:

https://www.filescan.io/uploads/646f0e4534dbd150fa62a435/reports/c098c1fb-5329-4a1c-a455-0990ef803197/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/76541f045182cd4f956ea38e70aac522dd8cc95bec94eb16ff435ac732da3b97

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/30bf2a79-09f2-4f03-b6ae-8dc9ec0f5647

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1242414

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/76541f045182cd4f956ea38e70aac522dd8cc95bec94eb16ff435ac732da3b97/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-24 14:30:22 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ozkb6bcrqlgu7flouohhbkwfeloyzsk35skowfx7innmomw2holq._file

Verdict:

malicious

Label(s):

formbook

Formbook

0ef758cdcdaa95ecd6689cf13a719dd95def885bd1c5812295c2ed65d34b735d

Formbook

571f10fb2f8ed39463e85d4a5af98f8203489b60d7a634d890462f10d6b15f2d

Formbook

70d226c93cae74dfc4fc991b3fc74957cfb08881f53c232ed87e0d22cc5e30f1

Formbook

9994b20e500ad5c9973f3627d3b9225b7b7b6f9ef2c5dd37b93d71a8e479007c

Formbook

a8982b67f297cc68ff3f3de02cc7b60d51c8b4a3db85971ce4f73149fe67b6ee

Formbook

adc1bc8f700584e34f2196919fb2298cd8138a8dfcf498259f5b665976ce929c

Formbook

cb3c0c6adf5820177be2e484c182b3275255c00deef036765c197e8be0b4d16e

Formbook

d96b4d0c1efd573f0833df766811861d8b116e92383da4543993971306ecbe4d

Formbook

ff25677389d599682cc411460963f6adbff3879c2f2d3d7239312acfd57f42fe

Formbook

+ 2'899 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230525-ja8yaahb2y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

70382ea1b363da419e2b0e806739138db40b4ec2ea276de2f1aefbd46ee66ac9

MD5 hash:

c260a705d14d1209ee29f226099010a1

SHA1 hash:

f7a97ae4da5562d1064bc7c94d7b68e184361bcf

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/c26c0267-ed55-4fec-9b0f-05258741da31/

Parent samples :

d96b4d0c1efd573f0833df766811861d8b116e92383da4543993971306ecbe4d
70d226c93cae74dfc4fc991b3fc74957cfb08881f53c232ed87e0d22cc5e30f1
76541f045182cd4f956ea38e70aac522dd8cc95bec94eb16ff435ac732da3b97
22515e24bf09d7d7b9ed02436f05853d5174aac248eb79c2b32a82096c8b30a3
2df55ec2cbfe5ba2ddfd9a597a1c2dcfe3c91f211ba611180c97443773f79732
34a8585e0643993caaaa6c3fcd9933354087422062d3c887dada1d65b570bfb3
a022bc0ad88cce0b7ef8c68c7602003ff4150006503291b7ead2119ebdecb36d
03f51ffa9c987630724a451ad872f52bf97bd257ad06b58b6194f5dec29c8f13
395133081793df5c1542b9e77a64a5271d1b358c1a7db674108a7624a9104809
af7efb93740b9b9ee4cd6580a3eefa8298558c9f06b463eb44b03394cde441d5
0335bef9440cae7dd60e617e31258a490b9598e3dfa1325bf79ca9eca5c4c720
4e8d1df344f5009ab35ebb5fed59649cce3e0a9b7f27f312a7cc854eb74b889d
02dc237cae6224ab8277187f6574215e15b4ddd4bf5b2bddbedaa95fc077e4e2
14bd08ddfd5f3fbeffbe9adacf4662f83267492eb8a2ca70a5c7613050039dc9
3c4e179c3ad40c3916a358a7115d8b4ad6d957cb57cecbba7c979057e5370748
16ef953132f6f51c904ccd3e04c933c20110c1dcbab443059df7218392291d5f
2ea5fd6b8b0354c95a41470ae8cb816d0ffb61b6b34cd827ffa160c963b850ed
0978bd6c3a575dd054cd139eaecc851695800c859e61ed340b47c9d5bf0d0d38
ce9a0c42305d137c27b4f369996a15387ae6f0d1e391116f54e7733918083239

SH256 hash:

69ae0d2e1c3e2bbbe5183e41b3ac08a711b71c2740e59fab69abc6b463b249ae

MD5 hash:

4fc5c70a26e153516338b2bd4a6df5fb

SHA1 hash:

6d7e91edb55a50e3aeacf06752101ae672badc50

Link:

https://www.unpac.me/results/c26c0267-ed55-4fec-9b0f-05258741da31/

SH256 hash:

fef7f45c6afadec5a8c66fb1de4c6184724b3fae555aec08f3ed19b6a2bc2afd

MD5 hash:

fb0b538e5049b37f1264312a9c137672

SHA1 hash:

e9cd6bba2ccd062ba72a72ced2e505197db3d310

Link:

https://www.unpac.me/results/c26c0267-ed55-4fec-9b0f-05258741da31/

SH256 hash:

9c782708d18b3e3e39894ff3ef8050b1d50c74a488bfe6407491a20dfdaa5e39

MD5 hash:

bb04ec593a8e4a9c21bbd0bb8c357d25

SHA1 hash:

9e7afd556da6fa68f0e63a5819eb454b4e9e239e

Link:

https://www.unpac.me/results/c26c0267-ed55-4fec-9b0f-05258741da31/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/c26c0267-ed55-4fec-9b0f-05258741da31/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb

MD5 hash:

de906fce89f615f303ddfb80c1b37b35

SHA1 hash:

3568e3f9f0731da9a3294f4f8de61f95dc3eec31

Link:

https://www.unpac.me/results/c26c0267-ed55-4fec-9b0f-05258741da31/

SH256 hash:

76541f045182cd4f956ea38e70aac522dd8cc95bec94eb16ff435ac732da3b97

MD5 hash:

04e2bf8bad4d45271050d4e610f421f2

SHA1 hash:

8b48651990fc7151f5cc9911f9fa4e18d6503297

Link:

https://www.unpac.me/results/c26c0267-ed55-4fec-9b0f-05258741da31/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/76541f045182/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 76541f045182cd4f956ea38e70aac522dd8cc95bec94eb16ff435ac732da3b97

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/391412/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample