MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c0276edd9ce400d92a0b135a90b3d0f055991aad22ba1acb0fac193636eb621. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c0276edd9ce400d92a0b135a90b3d0f055991aad22ba1acb0fac193636eb621
SHA3-384 hash: b09c5781e9c7d88046610f6b2cab3a1ef5759378fa9ed2569da322a044ea03cd60cea94eb6b93ad31b5879aeddd086df
SHA1 hash: 65d7c87dedf0d99ebff535cfd3e81c34a06ceeb1
MD5 hash: d3970fd03db03f3e026192203a110226
humanhash: salami-chicken-moon-mango
File name:proforma invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:762'880 bytes
First seen:2023-11-01 08:39:58 UTC
Last seen:2023-11-02 15:07:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:K9LWtjIQpEB0gYGBKvzNDpZrbr174bKlhku8T1gXEZ3gzCt9EeYRGzwFOGueWAoC:KctsQ7gYMKLJppb6KlhmxQegsCLWy
Threatray 35 similar samples on MalwareBazaar
TLSH T19BF41250A7FE0B7AEE39C7F616645B042FF1716F6126E3488ED270D69569F000A81F2B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:exe FormBook payment Shipping

Intelligence

File Origin
# of uploads :
3
# of downloads :
315
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
0cd707e24d49a91b3cafd857c31f4bfd.eml
Verdict:
Malicious activity
Analysis date:
2023-11-01 18:19:59 UTC
Tags:
formbook xloader stealer
Link:
https://app.any.run/tasks/a7149e34-d769-4444-8a96-3772013618b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457588/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2504.10035.17898.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65420eefbc703e36b0966858/reports/40d309ee-66f3-497a-90e8-15fecf20dd28/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7c0276edd9ce400d92a0b135a90b3d0f055991aad22ba1acb0fac193636eb621
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/318f3f07-909c-4f16-9dd7-6a8c4d4445ee
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335344
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335344 Sample: proforma_invoice.exe Startdate: 01/11/2023 Architecture: WINDOWS Score: 100 31 www.waterdropdilter.com 2->31 33 www.waktugaspoolne3.xyz 2->33 35 14 other IPs or domains 2->35 43 Multi AV Scanner detection for domain / URL 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 7 other signatures 2->49 10 proforma_invoice.exe 3 2->10         started        signatures3 process4 process5 12 MSBuild.exe 10->12         started        15 MSBuild.exe 10->15         started        17 MSBuild.exe 10->17         started        19 MSBuild.exe 10->19         started        signatures6 59 Maps a DLL or memory area into another process 12->59 21 goDifhFaqHHJKoVfN.exe 12->21 injected process7 process8 23 unregmp2.exe 13 21->23         started        signatures9 51 Tries to steal Mail credentials (via file / registry access) 23->51 53 Tries to harvest and steal browser information (history, passwords, etc) 23->53 55 Writes to foreign memory regions 23->55 57 3 other signatures 23->57 26 goDifhFaqHHJKoVfN.exe 23->26 injected 29 firefox.exe 23->29         started        process10 dnsIp11 37 4juris.xyz 198.136.59.220, 49749, 49750, 49751 DIMENOCUS United States 26->37 39 www.pmiy0a.cfd 107.148.95.217, 49757, 49758, 80 PEGTECHINCUS United States 26->39 41 5 other IPs or domains 26->41
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7c0276edd9ce400d92a0b135a90b3d0f055991aad22ba1acb0fac193636eb621
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c0276edd9ce400d92a0b135a90b3d0f055991aad22ba1acb0fac193636eb621/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-01 07:48:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pqbhn3ozzzaa3evawe22scz5b4cvtenk2iv2dlfq7lazgy3owyqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
08f858c188cfd3e620b156b53c1a9fb49d67445ffc6b5c004f87a93f44aa15a2
Formbook
1cc327be5ca8d7bd4cd244e9cd90454611559df4e971c3bd6649682413582c1e
Formbook
3ea69a1a0c5cc196a71ab1d7754abe0683813ff321d59d731bb72d2d3d076f3f
Formbook
3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9
Formbook
7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae
Formbook
82e2999475b441f03d417b5ee9df2615ec04693e11c15fd5f6c1e444293b85e9
Formbook
e4b2f31e7c9fb2df6cf161898f23653c49d758f8f733e5910b99f3fd998569e0
Formbook
fa75be54659c7ffd8f59a49687c1ddf79c333861043831395b0fb10b87401f7d
Formbook
fcdc9c84c2d743794b07d4cff425214fa4466f3698e88d36cd6956531303ab1f
Formbook
+ 25 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231101-kkvzvaga48/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a66f012554fa558b7cf7c5881e8159b9feaf4fa1b5010fb4077414713b479792
MD5 hash:
8e61c8e1fa4931a12efc5d923263cdf6
SHA1 hash:
ec82495b3ceb29dc0d5bc37f99c818a8f3e79754
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
SH256 hash:
0ba1122a32e87e976c3c1076bc93d38b8da59635dd7541bbbe393cd6b76170ee
MD5 hash:
114a8ee279e136584a12827ac26ede30
SHA1 hash:
72a7bed5b5e5c5a69a5570772d22418bbe55e9f9
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
SH256 hash:
5c723796902568d61680f069b4790ffa92acb26c6588eaa0f0c9cd60bee96d1c
MD5 hash:
4b3ae6d68cfb60a0b92783357c1a5a4a
SHA1 hash:
8b43283e210e996d229a6df10a4cb5b3cbdde78c
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
SH256 hash:
01048bc482fe21e2bbd0b664f9575b2c0f79f239711d37c8dfeb2aaa4a73f416
MD5 hash:
5782a1714629a4760ec7b3f3f9e9bebb
SHA1 hash:
4becf19614919f1f73a9a80453ee89b1766d9bce
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
SH256 hash:
1ae6c210f6f5fa35659ac608556afabdfaf525605804e9ac0a2e7cdafee15aee
MD5 hash:
89dc9c8b6bb9d879389ba2dfcede771f
SHA1 hash:
000fee12e669b37c9a9fe872d9bfb5d92a2faf0a
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
SH256 hash:
888cd4cc10a93148a83414c7a0d829ed281bacdf527502e59f5c35984f2b6a2e
MD5 hash:
98c3089893e27ebf29d9023744bea74c
SHA1 hash:
f471c7b85d95dfa55013281746b5274e11fcf2a2
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
SH256 hash:
58e8c4c0a9518ed032da00d361152ec62f2cc7580b8f977d49ad4da83324f7c7
MD5 hash:
4c7d15ee691e450871e541e45c4bab46
SHA1 hash:
c16b470a6ecc253d6a4881ce4f867ad6944ca995
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
SH256 hash:
b9eed4e1df2d8dd4ace77d1d83b2ef21f38d06134a235d47ce3d71635da2acf2
MD5 hash:
516a6418dd7116200406df656b877c45
SHA1 hash:
95d6319251921a765d9cbd7ab25ba30aad738df4
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
SH256 hash:
a0211237e70022445aa743dbff03f6b0fbcb656149cbacd579b5ce3e0e8e33fe
MD5 hash:
21d93ecd7bc6e69edce8e81e3aa24a0a
SHA1 hash:
5f06b46725c4c76b44da88901e08b09d3a0c3389
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
SH256 hash:
51cb8696c90757378929288a3b429e5dc2960f2280d87dfbc55d88cfc00fadb1
MD5 hash:
5454f56a4353fd49447fd41fa4374b41
SHA1 hash:
3f931a4f7148dccd28f7bdedbe045f1501db7872
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
SH256 hash:
0bb71f4748ab2fac19e68267324a329d9393c9252eac6b656817f73ff6b8bdc7
MD5 hash:
9eeee49f149bd8a0e288c1e1dd494815
SHA1 hash:
0a399d1cee1bdd996f0162c134b461ce8d6e0c4f
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
SH256 hash:
7c0276edd9ce400d92a0b135a90b3d0f055991aad22ba1acb0fac193636eb621
MD5 hash:
d3970fd03db03f3e026192203a110226
SHA1 hash:
65d7c87dedf0d99ebff535cfd3e81c34a06ceeb1
Link:
https://www.unpac.me/results/968d68d8-ec02-4226-b3fe-b240a9e2561b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7c0276edd9ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c0276edd9ce400d92a0b135a90b3d0f055991aad22ba1acb0fac193636eb621

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip c46345e2ef42b919913e819fe8d5ccc35ed5401c6d2db80304efc5d85c50e6f2

Formbook

Executable exe 7c0276edd9ce400d92a0b135a90b3d0f055991aad22ba1acb0fac193636eb621

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c46345e2ef42b919913e819fe8d5ccc35ed5401c6d2db80304efc5d85c50e6f2
Cape
Cape
https://www.capesandbox.com/analysis/457588/
  
Dropped by
SHA256 be9cc5cd9b4db90edc62987c19fab231f5404880ce7e8dab20febab3f7c5bfa7
  
Dropped by
MD5 bda390aaf27430a350651dce8ec64978
  
Dropped by
MD5 147306fc892646cd7e4ddd8cdd0b18a7

Comments