MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b5de7135bd7e3c2eb98a94977c138597d357def8a9851a8df3ee442f83ec737. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b5de7135bd7e3c2eb98a94977c138597d357def8a9851a8df3ee442f83ec737
SHA3-384 hash: 7c4d161eb654ec257ff309cfdf485389577688b93c7004e8be95cb98f76909704bc6d217fe684d8366ab62255229c491
SHA1 hash: 4f8c369ff1be2d9e02594b971ee24f4a2c8e18c9
MD5 hash: 08be9eb13ce48889a767c1faf80fc855
humanhash: magazine-fillet-delaware-kilo
File name:INVPRF2100114_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:422'400 bytes
First seen:2021-10-07 03:52:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:b/jIGIZdF7MzKQ+3HwO+rlInJvSuvEP+9ET1b8/4ZTwAUN0rrThAf4DkohHBXDXJ:b/Mk7o+rwc3N8/4lj7if4DkmzXJ
Threatray 8'590 similar samples on MalwareBazaar
TLSH T1B194D03E33A3DD00DE7186B2EC8ED55147B8B81621AAC7393A8D327D78127F54D90AC6
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVPRF2100114_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-10-07 03:55:13 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/073186ac-0011-4c6b-8f9e-7f38a4f16405

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195583/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/615e6f2098a6280f39335a7b/reports/3f182d7c-3938-46a4-9b97-acb7abda079f/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6d51900-65dd-4306-8571-364cec600ae5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865985
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 498413 Sample: INVPRF2100114_pdf.exe Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 31 www.faithful-presence.com 2->31 33 faithful-presence.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 11 INVPRF2100114_pdf.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\INVPRF2100114_pdf.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 INVPRF2100114_pdf.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.abcrefreshments.com 74.206.228.78, 49856, 80 WEBAIR-INTERNETUS United States 18->35 37 consultantadvisors.com 50.87.248.44, 49859, 80 UNIFIEDLAYER-AS-1US United States 18->37 39 13 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Performs DNS queries to domains with low reputation 18->51 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7b5de7135bd7e3c2eb98a94977c138597d357def8a9851a8df3ee442f83ec737/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 03:53:04 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pno6oe2327r4f24yvfexpqjylf6tk7pprkmfdkg7h3sef6b6y43q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0693c816986f73899e351e1989103e680c336f401cca1d14f5bce3b5865cfee6
Formbook
2cf9a6fd4361184dbe79b2067472bdb6ac2907b89e78e213cf0eadd69ed10cd1
Formbook
6acf1bec87a9b06a63ac3be623a527d7c419d17bb8a258b67e2f7cc2c607cc10
Formbook
73db754f5e709731e9c07c230fa6512ee75e07184c367e3f80b1bf646e7b72da
Formbook
7b4c1bf9a15a419080fe02866aa26f162f79d5e01763c6af5915b07988556223
Formbook
95b6ba2be30399f87d20e021bee29f0eb46773b67407f3ed9987d22610d5249d
Formbook
a0d1e3fbe11fcbbea9dcad1880e23ea531c01c20fbbf383174cd420349657a01
Formbook
aba852eff9b53848b266228241991403993f7769587712794eb5f406ce4c9a6c
Formbook
c18d5baf727358a8635a51fc7cfb4c3f4c90c78abcecf051feb4540323e98746
Formbook
eafdeb6ac0b1bd6f065c70b3b2892bf04c6d5d674751e64b7583ba13ddf6ebd5
Formbook
+ 8'580 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:euzn loader rat
Link:
https://tria.ge/reports/211007-efmvsabge7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.heser.net/euzn/
Unpacked files
SH256 hash:
e86f8321145d76c1d4dea6b6078bd199bc465aa1a1350667a2a622ebd5c09573
MD5 hash:
87fe8cd2bd5e5743c2206ac8eb983678
SHA1 hash:
205e2e983ffc60f77f80687c332d26a7d96b442a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/75eeafe5-5e37-4a00-983c-33a75fe01420/
Parent samples :
a0d1e3fbe11fcbbea9dcad1880e23ea531c01c20fbbf383174cd420349657a01
a243b394a1a3377b3ae936e6ea896588cca8cc43f8b961bdecbbe324e28c283c
662ae2a76488e0f775884f0c19daa286c910f2e72acb414a5f820b655ef42565
3dafcb39d7cc251c9a8212a8e745e0d72f2c530bf699a9168a379fa25e36ec38
7b5de7135bd7e3c2eb98a94977c138597d357def8a9851a8df3ee442f83ec737
6446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33
17ed64707506c917be6329e1cbe94548d761d218dc8e2d624eab99565acc055d
9508c04b4c1dd578c8c3b8597a68bb73548b107edcbb37f13909a18d85f78b3a
SH256 hash:
fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03
MD5 hash:
c380b6831f456ac5cac08c78c0e4dada
SHA1 hash:
3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c
Link:
https://www.unpac.me/results/75eeafe5-5e37-4a00-983c-33a75fe01420/
SH256 hash:
9f80a71a2406cf07e5636dcaca29843eed5274c3d14ff11ab65e9b01e93a9c34
MD5 hash:
205108efe53084f27d8a18c2e5a27d39
SHA1 hash:
3cd0e65a97d6a1ac95e391dbab84395029442614
Link:
https://www.unpac.me/results/75eeafe5-5e37-4a00-983c-33a75fe01420/
SH256 hash:
7b5de7135bd7e3c2eb98a94977c138597d357def8a9851a8df3ee442f83ec737
MD5 hash:
08be9eb13ce48889a767c1faf80fc855
SHA1 hash:
4f8c369ff1be2d9e02594b971ee24f4a2c8e18c9
Link:
https://www.unpac.me/results/75eeafe5-5e37-4a00-983c-33a75fe01420/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/7b5de7135bd7e3c2eb98a94977c138597d357def8a9851a8df3ee442f83ec737

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7b5de7135bd7e3c2eb98a94977c138597d357def8a9851a8df3ee442f83ec737

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/195583/

Comments