MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b692628c5a43cef1780ecd6223c6fa9e40a1e45932db8456738ecd61700544d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 18 File information Comments

SHA256 hash:	7b692628c5a43cef1780ecd6223c6fa9e40a1e45932db8456738ecd61700544d
SHA3-384 hash:	16d4442181b53e69052f546a3ac204f6c15ba136cdcf8328d21a615bd6ec865d1c05f2e7624bb740cb2fbde617c98454
SHA1 hash:	d47024ed8831278975eb9b6c27a8c751d0ec83f0
MD5 hash:	4e88079897055866905d378acde5ce2a
humanhash:	pennsylvania-lake-winner-johnny
File name:	Purchase Order.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	638'976 bytes
First seen:	2024-04-16 07:37:31 UTC
Last seen:	2024-04-16 08:28:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:Rynte5DllKZs5kErYVM6MneaMR+b+XH5TTljamhTk5JemT:werlKZs5kErY26Mnenwb+XxLGJx
Threatray	1'434 similar samples on MalwareBazaar
TLSH	T1FFD4014473EC9F27E6BD4BF45130646887F6692A3071E28D2D8670DA6AB1F40AF51F23
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	004000c8c8004000 (6 x AgentTesla, 6 x Formbook, 4 x Neshta)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

7b692628c5a43cef1780ecd6223c6fa9e40a1e45932db8456738ecd61700544d.exe

Verdict:

Malicious activity

Analysis date:

2024-04-16 07:42:39 UTC

Tags:

formbook xloader stealer spyware

Link:

https://app.any.run/tasks/838d617a-ab39-4883-a9ac-524619185e8a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Launching a process

Creating a file

Launching cmd.exe command interpreter

Setting browser functions hooks

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/661e2adc14fabb16f4fd3880/reports/1dfd8794-87ca-4509-862b-ff88e57eab6e/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/7b692628c5a43cef1780ecd6223c6fa9e40a1e45932db8456738ecd61700544d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c986883f-2bf4-416c-8708-4523f855d586

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1426531

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7b692628c5a43cef1780ecd6223c6fa9e40a1e45932db8456738ecd61700544d

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/7b692628c5a43cef1780ecd6223c6fa9e40a1e45932db8456738ecd61700544d/

Threat name:

Win32.Trojan.Znyonm

Status:

Malicious

First seen:

2024-04-16 00:01:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pnusmkgfuq6o6f4a5tlcepdpvhsauhsfsmw3qrlhhdwnmfyakrgq._file

Verdict:

malicious

Label(s):

formbook

Formbook

0c0001dfab0dc6cf87fc05e6752207cb13627722317885249e8840d335906d1a

Formbook

4850a766fab45d5947075658d9c6bbf4b970f0d05b082c1472b93d9a7fa3d093

Formbook

6c57771cda82415d8e0f6492203eff52a3fb36ea966fad9fc4e7fb4d0de7e378

Formbook

9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784

Formbook

ca1d2592c9726d9e3a6a57c55ac57b40d9aa3bc501393a40962afd5bd4946433

Formbook

d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0

Formbook

e0063d0d5bebd7b349f970ec640d1e14ccba6e766999bfd630ac52e791e2dc65

Formbook

+ 1'424 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:gs12 rat spyware stealer trojan

Link:

https://tria.ge/reports/240416-jgdeysce56/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Formbook payload

Formbook

Unpacked files

SH256 hash:

a2ba42ed48ec131b0b401c30a65855fb6e9cf95f8d95cec11b9c4a9b4d2eb32e

MD5 hash:

d37feecac71348dce1ea1abf653c2a5f

SHA1 hash:

296bbb93b782a4794f0a833f05c0fc5f8a21b3d3

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Formbook

Link:

https://www.unpac.me/results/737b93cd-591f-4859-a646-73b10b3b086c/

Parent samples :

7b692628c5a43cef1780ecd6223c6fa9e40a1e45932db8456738ecd61700544d
81f6e3ff9cc821300e30acd628d0579793806ebfb89941d04f9bc33998f9a851
ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d
b7def3af905789a4ecedcc226d91592d8bc758ce8c5458d62ef435707de8670f

SH256 hash:

22b9cf2506bb0035f7647c78dc56f7c0f9fbe3ece4a587aeda93709cb3833c09

MD5 hash:

bf857e499c01d6d307bd50790e44ea0d

SHA1 hash:

e5482ab1fc1a500fe2a3c5c44626ef90a12885c1

Link:

https://www.unpac.me/results/737b93cd-591f-4859-a646-73b10b3b086c/

SH256 hash:

220e905c2f8e4384e8905084bf76a0a8c627263e8b0439d7a5fae81be897e7f1

MD5 hash:

72c3e08510e1206a80e9dabc473eda3e

SHA1 hash:

e218a1aa3ff4ca1713cc6284e0f6f8af9948ad5c

Link:

https://www.unpac.me/results/737b93cd-591f-4859-a646-73b10b3b086c/

SH256 hash:

5d3b862b27a5560f64437cb6536329849a21cdf636a5a60903f09e5a26d6e6ae

MD5 hash:

a3e7359f4b2bba12f1351f95d29edaf0

SHA1 hash:

3bde250aa41f4c8bb377611a8da6158265c7d2c5

Link:

https://www.unpac.me/results/737b93cd-591f-4859-a646-73b10b3b086c/

SH256 hash:

7b692628c5a43cef1780ecd6223c6fa9e40a1e45932db8456738ecd61700544d

MD5 hash:

4e88079897055866905d378acde5ce2a

SHA1 hash:

d47024ed8831278975eb9b6c27a8c751d0ec83f0

Link:

https://www.unpac.me/results/737b93cd-591f-4859-a646-73b10b3b086c/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7b692628c5a4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7b692628c5a43cef1780ecd6223c6fa9e40a1e45932db8456738ecd61700544d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample