MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b1689fbe7c8e84cad627ff61b7fcff876655c0fb42bfb0b539d5b59582a71ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b1689fbe7c8e84cad627ff61b7fcff876655c0fb42bfb0b539d5b59582a71ab
SHA3-384 hash: f43f49d10fc22c2684a4be9dfd4a943d9a64b0723e9a99a40bee5c7cbec769a71deb8c93a19f7b5dc6a45b2c2abea089
SHA1 hash: 7c0ab592ef6e997def5af35bb0cb10c5cfd281ac
MD5 hash: 89119a7a7793f05b9a38985a63a91262
humanhash: mountain-beryllium-dakota-indigo
File name:89119a7a7793f05b9a38985a63a91262
Download: download sample
Signature Formbook
Create hunting rule
File size:786'432 bytes
First seen:2022-11-07 13:20:04 UTC
Last seen:2022-11-07 15:18:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:cCIpYg3b0gKO0P+UuL0XfesCWU4Ehw1OzXlat8lM8i+m+evZwwfXXgRUOU:dPBc0X2st7EhCOxaKlziGgZwCXXhO
Threatray 15'768 similar samples on MalwareBazaar
TLSH T1F5F4CFF8185031B9DBAEDF32906D2F648BA31D9153C2FA4F1090B5B51A33BE39625C5B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
89119a7a7793f05b9a38985a63a91262
Verdict:
Malicious activity
Analysis date:
2022-11-07 13:21:23 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/ed00f86d-47e5-4328-b94c-7d9f909f2a02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329922/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.AGZO.tr.28097.12441.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6369060d775605b3a4f3ddce/reports/89f9aff0-6c5b-483e-a166-8eab2f3a2cd1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e55d69d8-c74d-46fc-a390-5b5a5e15aa2b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107777
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 740441 Sample: ayvobEUnqV.exe Startdate: 07/11/2022 Architecture: WINDOWS Score: 100 50 www.simdiiste.xyz 2->50 52 redirect.natrocdn.com 2->52 54 natroredirect.natrocdn.com 2->54 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 Sigma detected: Scheduled temp file as task from temp location 2->70 72 8 other signatures 2->72 9 ayvobEUnqV.exe 7 2->9         started        13 wGJnkFfjS.exe 5 2->13         started        signatures3 process4 dnsIp5 42 C:\Users\user\AppData\Roaming\wGJnkFfjS.exe, PE32 9->42 dropped 44 C:\Users\...\wGJnkFfjS.exe:Zone.Identifier, ASCII 9->44 dropped 46 C:\Users\user\AppData\Local\...\tmp1B17.tmp, XML 9->46 dropped 48 C:\Users\user\AppData\...\ayvobEUnqV.exe.log, ASCII 9->48 dropped 78 Uses schtasks.exe or at.exe to add and modify task schedules 9->78 80 Writes to foreign memory regions 9->80 82 Adds a directory exclusion to Windows Defender 9->82 84 Injects a PE file into a foreign processes 9->84 16 MSBuild.exe 9->16         started        19 powershell.exe 18 9->19         started        21 schtasks.exe 1 9->21         started        56 192.168.2.1 unknown unknown 13->56 86 Antivirus detection for dropped file 13->86 88 Multi AV Scanner detection for dropped file 13->88 90 Machine Learning detection for dropped file 13->90 23 MSBuild.exe 13->23         started        25 schtasks.exe 1 13->25         started        27 MSBuild.exe 13->27         started        file6 signatures7 process8 signatures9 58 Modifies the context of a thread in another process (thread injection) 16->58 60 Maps a DLL or memory area into another process 16->60 62 Sample uses process hollowing technique 16->62 64 Queues an APC in another process (thread injection) 16->64 29 explorer.exe 16->29 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 25->35         started        process10 process11 37 cmstp.exe 29->37         started        40 cscript.exe 29->40         started        signatures12 74 Modifies the context of a thread in another process (thread injection) 37->74 76 Maps a DLL or memory area into another process 37->76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b1689fbe7c8e84cad627ff61b7fcff876655c0fb42bfb0b539d5b59582a71ab/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 13:21:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmlit67hzduezllcp73bw76p7b3gkxapwqv7wc2ttvnvswbkogvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01e953f7efe55cf5970090491b1fc25dce140a505dea9e74bb07b81e3ef4f89e
Formbook
3bac0715b2f1f0a408c7640ea62cea43789e92dc97caad6dfa206d6d805fb266
Formbook
406d598252fddcb959a27c828c8d258ae662e2a07cfcae1a107608e65c680c6b
Formbook
4f319d971fd23958cbb4a4a2dcc608c2cba461194011e526d693c25a909e8505
Formbook
6e5d99d18277264f3c4da40f9ac2233e1adfde344174dcdcb9f06fc1ed545f80
Formbook
a3e826a617c70963f36c801778b0a572d0bd07bb5dd519bbbde5712fe4a9f226
Formbook
e3c262e12306134d77bc9ddab5530cba29e83c9cafbec4ff39ac719540946ee0
Formbook
f72205e001670625bf222e1023da747d37df422e831601d16cf614a69f180d8e
Formbook
+ 15'758 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fswe rat spyware stealer trojan
Link:
https://tria.ge/reports/221107-qk4vmsbfcm/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/338b7be3-1b84-47a6-bcf1-564f73843bf9
Unpacked files
SH256 hash:
480fee0db2c67fa005d4827ff5b5269d8fb0722ebe9a2e23202e572f57cd249a
MD5 hash:
57cd43facf1ba79cfb7696dda3d5d2a9
SHA1 hash:
8ceab353af0094c4db027db444cc8ba19e756593
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/34d11cc2-23b7-4151-952b-ee1d81831fbc/
Parent samples :
7b1689fbe7c8e84cad627ff61b7fcff876655c0fb42bfb0b539d5b59582a71ab
32c5f893748d30548193994624dd516bf2bd343e03678a444e6f47d4123735fa
4efed095f398feebacf3ccba9b08d00c398ea52424aca039d89ebd36580c0e96
734e6dd5e26f004a7a170d9f9b9d46104c853b065985902c3b6bbd8585048b1f
SH256 hash:
f29a7ee44b8c31c1a3f296b79df3f41d9146d2f6c55c7e5c1f4398b1ca8d3b20
MD5 hash:
39e38bb25b009100b4ecf29db33bd968
SHA1 hash:
614e9a04f5992bf088c754e13e4fa1e295e9bd05
Link:
https://www.unpac.me/results/34d11cc2-23b7-4151-952b-ee1d81831fbc/
SH256 hash:
60063e05d885a07952b3a2df7b1fb254529397c735fdbde8adb1721161dadf19
MD5 hash:
847e66958bb9db6296bc655d78adae7a
SHA1 hash:
64e3511e58c09d939b843bfe319935013f8552fe
Link:
https://www.unpac.me/results/34d11cc2-23b7-4151-952b-ee1d81831fbc/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/34d11cc2-23b7-4151-952b-ee1d81831fbc/
SH256 hash:
92bd802a0f7eb1213758a6c1a4c07302e0320c3a2aeb6273b0303dd3bbdefe90
MD5 hash:
046e97119545e5abde2f40b5dc3a0344
SHA1 hash:
3e69b67ddff2554c8cd72e129d4da9c8acd9d331
Link:
https://www.unpac.me/results/34d11cc2-23b7-4151-952b-ee1d81831fbc/
SH256 hash:
2ef0c5b926f4d467822953f33a5ceb2e9c403b1db2729cbc78714e7052d60908
MD5 hash:
157f48e816d9580e7571410244a700c7
SHA1 hash:
0ab004bd02eece2fb4f27e69840355665861ece2
Link:
https://www.unpac.me/results/34d11cc2-23b7-4151-952b-ee1d81831fbc/
SH256 hash:
7b1689fbe7c8e84cad627ff61b7fcff876655c0fb42bfb0b539d5b59582a71ab
MD5 hash:
89119a7a7793f05b9a38985a63a91262
SHA1 hash:
7c0ab592ef6e997def5af35bb0cb10c5cfd281ac
Link:
https://www.unpac.me/results/34d11cc2-23b7-4151-952b-ee1d81831fbc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7b1689fbe7c8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b1689fbe7c8e84cad627ff61b7fcff876655c0fb42bfb0b539d5b59582a71ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 7b1689fbe7c8e84cad627ff61b7fcff876655c0fb42bfb0b539d5b59582a71ab

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/329922/
  
URLhaus
https://urlhaus.abuse.ch/url/2403251/

Comments


Avatar
zbet commented on 2022-11-07 13:20:09 UTC

url : hxxp://107.172.44.174/400/vbc.exe