MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79cd2390cf00585b34c33f6c024ac29d8fe62b89a8a0b960233bbb20c6b3ccad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	79cd2390cf00585b34c33f6c024ac29d8fe62b89a8a0b960233bbb20c6b3ccad
SHA3-384 hash:	70d620a5317efaac861fc4528216802ef6833e7677af4dd1f6f2c25a7a2617838d9899baa28584889208b41a8f51e07c
SHA1 hash:	6f3dfcfed420f5520c84ed4a7ffc991869eb20e3
MD5 hash:	d9879be0d847226ebd4130078e636d85
humanhash:	snake-princess-bravo-nebraska
File name:	Purchase Orders.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	579'584 bytes
First seen:	2022-06-17 09:18:05 UTC
Last seen:	2022-06-17 12:05:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:ppzjdrjATmDq3C19mRn2PPvIkmfIfrHyZnaLKa2+XG+r:RrcTR3zu0Ir+naLKa2+z
TLSH	T1E0C4F1503274DB92E6B977F2D0AE80F027B17E26EA41D56F6CC03EC87972BD21609917
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/280903/

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILZilla.19314.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching the process to change network settings

Launching cmd.exe command interpreter

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62ac46e6b7a5f5720e27930b/reports/09604a8e-cbd0-4aad-897d-e924f6d63cf7/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6cc0d1e0-53fa-4d7e-ba22-0e454ca8e9ab

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1015137

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/79cd2390cf00585b34c33f6c024ac29d8fe62b89a8a0b960233bbb20c6b3ccad/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-06-17 09:19:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=phgshegpabmfwngdh5waeswctwh6mk4jvcqlsybdho5sbrvtzswq._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader campaign:utg6 loader persistence rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220617-k96smsbcgj/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Adds policy Run key to start application

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Formbook

Unpacked files

SH256 hash:

ad4274b20b0faf0ecffc508571f691383b2f556b8b7d850e5e97fca2fe8fdd39

MD5 hash:

cce19c5ce96a995f33711129b81c1ee6

SHA1 hash:

2eb5eab329a79eac56470c1b7d87ac6be7dd2982

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/182d740c-2ab5-4f57-beaa-f63cf2b85421/

Parent samples :

79cd2390cf00585b34c33f6c024ac29d8fe62b89a8a0b960233bbb20c6b3ccad
a013267b2dae410a6e166f9faaceebef0324d4b9036531856f10275f30ce41b8
27a558d460d700f26cb24a6f6b52d14fcbecf08cf984b3fd8a3a8f35e625ef49
7c24beab54e69d57daba589cd79bb5161de2d8f33fdd5e757e00b622039b80e4

SH256 hash:

84238dc32dc2c72716d7233f509b43a45617e2a24ca07eecda58ae37a704b90b

MD5 hash:

1d6115ad56b1707c8afa1a65f22afc96

SHA1 hash:

58cbf25298e84cf9d91da78ae370ac5ddbb2c3fd

Link:

https://www.unpac.me/results/182d740c-2ab5-4f57-beaa-f63cf2b85421/

SH256 hash:

732c66da5617e1a91e7cf4e603a2d197bcea7586aebbf9d4fcec5c476c663d01

MD5 hash:

22681679b0c68edd5379fd84fde5fb53

SHA1 hash:

1a8e5324137b394fd59ce4d261e2a3356a0649d1

Link:

https://www.unpac.me/results/182d740c-2ab5-4f57-beaa-f63cf2b85421/

SH256 hash:

5f14ca16da9559d14504cf32646de89c7323ee3c73084b0322de51acd64af92f

MD5 hash:

1b7415b482f4c8fd91b0d37c30564544

SHA1 hash:

0fe5a68de3255ab936afe85e7805b8ca15be7fc8

Link:

https://www.unpac.me/results/182d740c-2ab5-4f57-beaa-f63cf2b85421/

SH256 hash:

79cd2390cf00585b34c33f6c024ac29d8fe62b89a8a0b960233bbb20c6b3ccad

MD5 hash:

d9879be0d847226ebd4130078e636d85

SHA1 hash:

6f3dfcfed420f5520c84ed4a7ffc991869eb20e3

Link:

https://www.unpac.me/results/182d740c-2ab5-4f57-beaa-f63cf2b85421/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/79cd2390cf00585b34c33f6c024ac29d8fe62b89a8a0b960233bbb20c6b3ccad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 4cf5c6b24fb692851a4c2a19bbe334b8c7e367606f6dce575b01eac8baa3e35e

Formbook

exe 79cd2390cf00585b34c33f6c024ac29d8fe62b89a8a0b960233bbb20c6b3ccad

(this sample)

Dropped by

formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/280903/

Dropped by

SHA256 4cf5c6b24fb692851a4c2a19bbe334b8c7e367606f6dce575b01eac8baa3e35e

Dropped by

MD5 a2cccd242fc5d07f28218c5b5bda7c39

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample