MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ca8a122c2de09fc62bd94555fd701e862a65dda15839f37667b699127778f96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ca8a122c2de09fc62bd94555fd701e862a65dda15839f37667b699127778f96
SHA3-384 hash: 0789501ca716a864a35539f811fb79cb70e2eaf313d1b3df19b2da5a7ef47aaa5731f0673ee518588e1d974970bb9e01
SHA1 hash: e0d34f0f1c9d1accaf1a639edd2170f8d4caf3a3
MD5 hash: 620f64878d2efa525ed7ac9a0ce3c89b
humanhash: sad-magazine-louisiana-paris
File name:REMITTANCEADVICE USD 00847645.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:767'488 bytes
First seen:2023-05-23 14:20:34 UTC
Last seen:2023-05-23 14:40:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:TDX91J3f2atFai/xFZS7EhtEsCAWknOAeGLDLtSC:TR1J3f2ULnZp7CSOKLg
Threatray 3'000 similar samples on MalwareBazaar
TLSH T1CEF4AD9533B5DF2AD87D93FF06F0608D0BB874067026E2195F9B35D27270BA26A48B53
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REMITTANCEADVICE USD 00847645.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-23 14:22:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2c2153d3-00f9-4899-81db-d87bc5807f03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Rogue.0hr.20230522-1936.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching the process to change network settings
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/646ccbcf9d76c9a08c06fbc8/reports/b891ba20-ed80-4c51-9e93-1e0700950a7a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7ca8a122c2de09fc62bd94555fd701e862a65dda15839f37667b699127778f96
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a477dfc-d8ad-4d29-8e72-db566f315b53
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1240918
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ca8a122c2de09fc62bd94555fd701e862a65dda15839f37667b699127778f96/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-22 15:02:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psukciwc3ye7yyv5srkv7vyb5brkmxo2cwbz6n3gpnuzcj3xr6la._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02ea9a838872751f53f53611015ee23062c2cbc9b71a962caf500e54a145e87e
Formbook
13b3e8cb037ad76af405c4c7d0d73aecd0041a2a0e4c977052ffeba0e843aebd
Formbook
1e9c6feb801d3596d0090cb133a916998b321902a9088cd6b72fe0c9013a5ee9
Formbook
290e9c2d3b53a9c41d8cc6a76b053217cf499ff19f7a73a89335fa0ae1006579
Formbook
2fdb6415ee1ac0fde68933b412b35ba69b7d506750d5eab8924b244adfaaf82e
Formbook
7724828eb796d8c3310c8af73e9c19ecf37ad1af5ebc0cbd35efc5d4b36f36d2
Formbook
7e5a4a969f8e5439adceca4bc465664de6f891baf774f5d472cced75a52c5b5d
Formbook
90f8a6e23c16788ef3a7adee0b9b9a03cede0905367d71a8be46d3dc24b7b759
Formbook
b87fa8da6f775f13b1d72b19c0b107e87f875f71a69426ec24b61d7fb98929ae
Formbook
ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5
Formbook
+ 2'990 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:gn28 rat spyware stealer trojan
Link:
https://tria.ge/reports/230523-rnzkrsff39/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
cedbadf4d307c8e1e063fbf7bbd5b063b5fd84c1180d402930026ca73747be5c
MD5 hash:
530eadd06d4dbcca2105d29f080b639f
SHA1 hash:
a8aa529643a24b889c1eb716b254907067ba3dc1
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/6c78bfcb-9466-466d-8e1c-e0df5de4cebe/
SH256 hash:
4c7ce432433fc3a8b0a33d558e0041d3f1c222224c5e61f33104d990a534c7a4
MD5 hash:
e8d756b4e2de5a67446e0b1b80e1bb99
SHA1 hash:
b664448f87ac044a16706d35e5d76538ba79508a
Link:
https://www.unpac.me/results/6c78bfcb-9466-466d-8e1c-e0df5de4cebe/
SH256 hash:
5b42b2fcce3e832c8bb694b9f2801ed90bc437126a3a3a06c28cbe095cadbf24
MD5 hash:
924c449a2a3eaab2546f9c92dc2ffd7e
SHA1 hash:
b00b3cd7ffc8124a0ac7663fa832c987fd16b7a5
Link:
https://www.unpac.me/results/6c78bfcb-9466-466d-8e1c-e0df5de4cebe/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/6c78bfcb-9466-466d-8e1c-e0df5de4cebe/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
04fce11b24cb681c966f2e7db0d3640f9d8dd505906449b3b9e5f034c0ce24b4
MD5 hash:
fe6b1db043d778629bfc74dea0ea4d0b
SHA1 hash:
0d47257d1b329b5c885db0e67ac6a6bfe79abf8e
Link:
https://www.unpac.me/results/6c78bfcb-9466-466d-8e1c-e0df5de4cebe/
SH256 hash:
7ca8a122c2de09fc62bd94555fd701e862a65dda15839f37667b699127778f96
MD5 hash:
620f64878d2efa525ed7ac9a0ce3c89b
SHA1 hash:
e0d34f0f1c9d1accaf1a639edd2170f8d4caf3a3
Link:
https://www.unpac.me/results/6c78bfcb-9466-466d-8e1c-e0df5de4cebe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ca8a122c2de09fc62bd94555fd701e862a65dda15839f37667b699127778f96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7ca8a122c2de09fc62bd94555fd701e862a65dda15839f37667b699127778f96

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments