MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a30b05b90cc46a65e1122c29ed405db741c416efec4d68ae798ec29a8362422. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a30b05b90cc46a65e1122c29ed405db741c416efec4d68ae798ec29a8362422
SHA3-384 hash: 62f69de69b7bae88098cd229488c9f5f4664fa2eda4f3a2e55fa70478d9c288e0d369cddfc5934bfd2e7b6e7c64999ae
SHA1 hash: ef98173d7216280cb309f9339c7fef53610fb48d
MD5 hash: 445c9cd04311d2ecb22364fe12978b74
humanhash: butter-eight-carolina-carpet
File name:PMP-INS-93-2436-IN-1017.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:295'434 bytes
First seen:2023-05-30 06:20:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:FYa6IfYojya9Jv/YWpxZ3J8EdiV1C4uPkxBMCxgcV+n0kQBhJh9nWbR:FYOgoea9Jv/DjZZ8Em1RbxSCuOhMbR
Threatray 2'983 similar samples on MalwareBazaar
TLSH T19A541220629081A7FC6142F02E7A629A5FD6A81216D8D74F17547FCDBD33362C20FB36
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PMP-INS-93-2436-IN-1017.exe
Verdict:
Malicious activity
Analysis date:
2023-05-30 06:21:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf94a555-eaf0-4795-9590-92817be9380b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393277/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.23568.307.2837.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88624/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/647595cf6407f39ba8adb5dc/reports/761c4349-887e-45fd-ad94-d84ade2b4d0c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7a30b05b90cc46a65e1122c29ed405db741c416efec4d68ae798ec29a8362422
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59042659-680e-4dce-9187-29322e528078
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1244908
Signature
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a30b05b90cc46a65e1122c29ed405db741c416efec4d68ae798ec29a8362422/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 01:13:59 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=piylaw4qzrdkmxqrelbj5vaf3n2byqlo73cnncxhtdwctkbweqra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
142f8b22d894f1fee4c501acbc425edec276004d5d30ab7572cdfab85e89ad12
Formbook
1c120ac2bc08fbd5455f3d5a47dd87ce73e40fa4b0f7a3cdb2d41a85c800e603
Formbook
38e090d8747dd1332c68563c5f8204876d297ecfeb0a25da3282c57579cef3fa
Formbook
4ddb6586016ebaaa1601830f308bba390a40db9bb74babffb407824f64a43ea6
Formbook
652948efee89fdc5c6d3dc7f65a16aafabd0d224c9fcd55e5f86573f1b2c4aa1
Formbook
9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae
Formbook
b6fe7602e8f288c48cf04e60306dc9349c5b9ebeb8faf35905abede7d0525480
Formbook
c600d764532a73a55f4eca84c27637dab39b4d47b06b13c71a691cafffbe7aba
Formbook
e57304555042d5835094d3ee4cdbcfc713e089f1af6b6764c76673a43c34c971
Formbook
ffb63b1c0f03e57910b1f9b67f89bfe69768e5121ed5a0ecfc3af93dd6bc4c1f
Formbook
+ 2'973 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230530-g4bhrsff83/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
7a30b05b90cc46a65e1122c29ed405db741c416efec4d68ae798ec29a8362422
MD5 hash:
445c9cd04311d2ecb22364fe12978b74
SHA1 hash:
ef98173d7216280cb309f9339c7fef53610fb48d
Link:
https://www.unpac.me/results/11e6e4cd-1f81-477f-a1a7-cb63e5a8bd00/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a30b05b90cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a30b05b90cc46a65e1122c29ed405db741c416efec4d68ae798ec29a8362422

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7a30b05b90cc46a65e1122c29ed405db741c416efec4d68ae798ec29a8362422

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393277/

Comments